Social media is playing an increasingly important role in global business marketing strategies – and for good reason. Social media has helped build international brand awareness, provide a new level of customer support and launch new products and ideas quicker than ever before.
However, as quickly as social media can build a global brand, it can tear one down at the hands of malicious insiders or hackers. And there's money in it too. A recent report from Rand Research suggested stolen Twitter accounts are now worth more than stolen credit cards. As cybercriminals become more sophisticated, they are also becoming more adept at stealing social media credentials and taking over accounts, which can result in lasting, compromised brand reputations and significant financial losses.
It's time for organizations to take a closer look at how they manage their social media accounts and eliminate the “it won't happen to my business” mindset. It's imperative that we take measures now to prevent hackers – as well as disgruntled employees or associates – from hijacking accounts.
Social media hacks are on the rise
In April 2013, hackers (supposedly from the Syrian Electronic Army) accessed both the Associated Press' (AP) and FIFA World Cup's Twitter accounts. A single tweet from the AP handle resulted in a $136.5 billion drop in the S&P 500 index's value in minutes. The AP was able to trace the attack to one of its employees that may have inadvertently given away company passwords in a phishing scheme by hackers. For FIFA, they suffered diminished organization reputation over a Tweet that suggested the decision to award Qatar the 2022 World Cup had been a result of monetary exchanges.
The above hacks were caused by external groups, but there can be equally damaging incidents caused by people inside an organization that at one point were given authorized access to a company's social media accounts. This happened to HMV, a UK-based entertainment retailer, after the company let go of a number of employees. One disgruntled former employee, who took advantage of her access to the company's Twitter account, called attention to what she labeled as the company's “mass execution of loyal employees who love the brand.”
The overlooked threat: Shared privileged accounts
Enterprises have hundreds of social media accounts on Twitter, Facebook, YouTube, LinkedIn, and other outlets with unique accounts for different product lines, languages, countries and stakeholders.
These accounts are typically set up as shared privileged accounts, meaning teams of people throughout an organization can freely post information to these accounts. The passwords for these are often shared among the teams, making them easy targets for hackers and malicious insiders. In addition, there is no record or accountability for each individual's posts, leading to further challenges in securing and managing social media accounts.
To make matters worse, the same password is frequently used across multiple accounts, and the passwords are rarely changed.
Lax security opens the door for rogue current or past employees (as seen in the HMV example) or disgruntled social media agency members. As hackers become more sophisticated and more organized they can essentially compromise any system that is lacking proper security. For instance, the use of Twitter and Facebook accounts can introduce additional risks, as these platforms may provide hackers with access to valuable data such as passwords, APIs or other sensitive information.
Mitigate the risk of social media breaches
Social Media Management Systems are often adopted by organizations to manage social media accounts; however these solutions are built as management tools, forgoing the necessary security measures on privileged user access. In order to properly secure and protect social media accounts, they should be viewed as privileged accounts and best practices for privileged account security must be employed to mitigate the risk of compromise, including:
- Enable transparent access: Allow authorized users to seamlessly authenticate to the account without knowing their passwords, making it difficult for hackers to discover and steal credentials.
- Eliminate shared credentials: Storing passwords in a digital vault requires users to login individually for access, eliminating the accountability challenges of shared credentials.
- Automate and enforce password changes: Ensure that each password is changed on a regular basis. Regularly updating passwords reduces the chance of an outsider stealing and using a valid credential.
- Trace account activity: Create a record of activity on social media accounts to trace all posts directly back to an individual authorized user, helping to identify rogue employees that may be posting damaging content.
- Record social media administrator sessions: Record social media account administrator sessions to provide an audit trail of exactly who did what within an account.