The Gong Blog

Take these steps to secure your company social accounts

  |   Tony Scida   |   Leave a Comment   |  Time to Read: 4 mins

spaceballs

A few weeks ago, Greg laid out the case for having a data breach section in your crisis communications plan so you’re prepared if your company’s computers are hacked. But, there’s another area of information security that marketing and communications departments have more direct control over: passwords for social media profiles and web services.

Compared to customer or financial information, a Twitter account might seem wholly insignificant, but ask the folks at Chipotle how their day was last Sunday when they awoke to a Twitter profile plastered with profanities. The irony that Chipotle lost control of their Twitter account after faking a hack as a stunt a couple years ago was not lost on the press, either.

But it’s not just Chipotle that’s been targeted by vandals and others with nefarious intent, even the U.S. military has seen their social accounts compromised.

What’s even worse is that services like Twitter and Facebook can be used to log into other sites, like commenting system Disqus or Q&A site Quora, and even major media websites.

Chipotle hasn’t said exactly how they lost control of their account, but chances are they either had a weak password or fell victim to a phishing attack. Here’s some steps you can take to make sure you’re a good steward of accounts you control on behalf of your company or brand. Use these tips, or share them with your staff, to conduct a review of your account credentials. In addition to these tips, make sure your social accounts, and your handling of passwords, comply with your company’s IT security policies.

Use a good password

What’s a good password? Well, for starters, nothing on this list of the 25 most common passwords, which includes such gems as “password” and, in an apparent nod to Mel Brooks, “123456.”

A good password also is unique to that account: don’t share passwords between accounts, because anyone who acquires your credentials for one account is likely to try it for other services.

Use effective password management

It doesn’t do any good to have a complicated password if you can’t remember or find it when it comes time to log in. Modern browsers include features that will save login credentials, which could be a good start, but there are also dedicated applications and services for storing login credentials. And as a bonus, these apps can also generate strong passwords which checks off the requirement above.

And, if you need to have login information shared among team members, some of these apps even allow for shared sets of credentials. Most also have mobile applications, so you can have all your passwords with you on the go. My favorite password app (or set of apps) is 1Password, but you can use literally whatever you want—just use something.

Another advantage to having effective password management in place is that it makes it easier to change your passwords if a service is compromised and account credentials are leaked.

Restrict third-party apps/services

The more third-party services you give access to your accounts, the greater your exposure to risk. Problems could come in the form of a breach at the service, as with the Buffer hack a couple years ago, but it could also put you at greater risk for phishing attacks. If team members have free rein to sign up for new services and there’s no clear rules on which services are official, you run the risk of a team member inadvertently providing a malicious party with your account credentials.

Decide what third-party apps are approved for your team and periodically review your account to revoke access to services you’re no longer using.

Be on the lookout for phishing

Third-party services put you at risk for phishing, as mentioned above, but even if you don’t use any, it’s important that anyone with access to your accounts knows what to look for to avoid being phished. There are lots of guides to avoiding phishing, but the best tool you can bring to your defense is a heaping dose of skepticism for any and every email link and login page you come across. If you get an email purporting to be from Twitter, Facebook or some other service, and you’re unsure about the veracity, visit the service directly (i.e. type “facebook.com” in your browser, don’t click on the emailed link) and look for the notification there. Bottom line: if you’re not sure, do not click.

Consider using two-factor authentication

Many services offer two-factor authentication, which requires you to log in with a password and an additional “factor,” usually a time-based code that is sent to a device you own through a text message or within an app, such as Google Authenticator. With two-factor authentication, merely having a user’s login name and password isn’t enough. A malicious party would also need to intercept your text messages or have physical access to your phone.

If you observe these basic principles, you’ll be in a much better position to keep your social accounts secure. If your head is spinning a bit right now, don’t worry, I’ve summarized these recommendations in a simple one-page guide you can download and keep handy when creating accounts.

Download the Guide

Tony Scida

A Hodges veteran who has been with the firm for more than a decade, Tony lends his creative talents to a range of clients. With a degree in arts management and as an accomplished musician, Tony has an ear for helping tell client stories.

Read more by Tony

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to receive our blog posts by email