From social engineering to sophisticated profile hijacking, social media accounts face many potential attack vectors. This year alone, hacker groups have compromised the social media accounts of tech giants, national athletic leagues and streaming platforms.

Social media security risks for businesses and organizations can’t be taken lightly. A brand’s online presence is deeply connected to its reputation—a breach can damage customers’ confidence and put company information at risk.

Cybersecurity threats are constantly evolving, forcing companies to evaluate and adjust. In this post, we’ll cover the latest in social media security best practices to help you develop a security-first approach for your organization’s accounts.

The foundation of strong social media security

As with most things, it’s hard to get anywhere without a plan. Start improving security by creating standards and procedures to reduce social media security risks and deal with any issues as they arise. Your plan should include:

  • A consistent practice for setting up and maintaining your brand’s social accounts as well as any third-party tools you use (like a social media management tool or even plugins)
  • When and how you will grant and remove account access to team members
  • A cadence for conducting regular audits of who has access, especially as roles change and team members come and go
  • Regular reviews of these security standards by the team

To accomplish all of that, it’s best to clearly identify and document who is the lead person responsible for social media security. Whether this person is a social media manager or other lead, a dedicated team member can make a point of staying abreast of the latest security features offered by the tools and networks you’re using. They can also ensure that those running your brand’s accounts are leveraging those features and following the best practices.

This person will likely find great allies from other security stakeholders at your company, such as the IT and/or security team. Take time to consider and acknowledge each team’s role in keeping social media accounts secure, identify individuals who will be part of a security response team if needed and empower the lead to inform and leverage relevant teams proactively and reactively.

General social media security best practices

Much of the effort in keeping social media accounts secure resembles advice we hear about keeping our personal information safe. This means team members should:

  1. Stay vigilant. Obviously, team members will be careful with company information online. However, personal account attacks can also ripple out to a brand, especially when team member accounts have access to company profiles. This makes it important to remain vigilant, watching for phishing and other social engineering attacks in the form of emails, messages, friend requests and more.
  2. Follow your organization’s password standards. Strong passwords are the first line of defense against security breaches. Every organization should have a policy outlining what constitutes a strong password. The National Institute of Standards and Technology (NIST), for example, requires federal agencies to use passwords that are at least 8 characters long but goes on to show that password length is most important. We would go a step further and recommend a passphrase that is at least 12-18 characters.
  3. Enable 2FA/MFA. Two-factor authentication (2FA) or multi-factor authentication (MFA) requires more than just a password to grant access to an account. The second factor could be an approved device such as a mobile phone, or something more personal, like a fingerprint. This prevents attackers from accessing accounts with just a password. If someone tries to sign in from an unrecognized device, for example, they might be required to enter a one-time code from an approved mobile device and authenticator application. Lack of 2FA is what led to the 2015 hacking of the US military’s Central Command Twitter account. Facebook, Twitter, Instagram, LinkedIn, YouTube, Pinterest and Google My Business all offer 2FA/MFA options, listed below. Leverage them to reduce social media security risks. We recommend using a third-party authenticator application such as Authy over SMS code via text message.
    • Facebook: Third-party authentication application, SMS code (text message)
    • Instagram: Third-party authentication application, SMS code (text message)
    • Twitter: Third-party authentication application, SMS code (text message)
    • LinkedIn: SMS code (text message)
    • Pinterest: SMS code (text message)
    • Google My Business and YouTube: Security keys, Google prompt, Google Authenticator, Backup codes, text message, phone call
  4. Take advantage of SSO. Single sign-on, or SSO allows an application to be connected with your organization’s identity management platform and uses one login to sign a user into all the tools they have access to. This means less password management, fewer chances of falling for phishing attacks and easier sign-in. Without 2FA/MFA, however, it means an attacker can gain access to multiple accounts in one fell swoop. Keep this in mind when crafting your security approach. Speak with your IT or Security team to take advantage of this functionality where possible.
  5. Create an informed social media policy. A strong social media policy defends against security risks and legal issues, empowers your staff, and protects your brand. It clarifies who can speak for your company on social media, outlines a plan for dealing with conflict and includes personal account guidelines. For more on how to create one, check out our guide.

Apply these general practices to every social media account for a security boost. Then, take time to make sure the team is informed about how to keep those accounts safe.

Best practices for your team

Unfortunately, many cyber attackers target the people connected to accounts rather than the accounts themselves. In fact, phishing accounts for half of all fraud attacks, and most industries are still vulnerable to personalized spear-phishing and spoofing cyberattacks. An informed team is a secure team.

To keep team members up-to-date, include your social media policy as a part of their onboarding, and conduct regular training to revisit cybersecurity developments. Many organizations, including Sprout, hold recurring phishing or social engineering training to help team members exercise their scam-recognition skills.

As we’ve mentioned, designating a person to lead social media security is critical in keeping up with the ever-evolving nature of cyberattacks. The information they track will be useful in team training. This person can also help decide who needs access to social media accounts and why, and they can ensure social media access and removal is a part of your company’s official employee onboarding and off-boarding process. They should create and maintain a list of all social network accounts and individuals with access, and review it periodically. We strongly recommend using a password manager like OnePassword or LastPass to store and manage access to passwords. This will keep all this important data in one, secure place.

If this sounds like a lot of work, you’re right—it is. Many companies turn to social media management platforms like Sprout Social to help manage their various accounts and increase security. These platforms make granting and removing team member access simple, and have multiple authentication measures in place to restrict account access to those who actually need it.

Using Sprout Social to increase social media security

There are a number of ways that we help our customers keep their accounts safe. If you’re using Sprout to manage your organization’s social media, consider the following security measures available in the app.

The first is one we’ve already talked about, and it is something you can set up on an individual and team basis: two-factor authentication. Enable two-step verification in Sprout by visiting the security page under account settings. From there, account owners can also make two-step verification mandatory for all users. It’s important to note, however, that this important security feature is difficult when teams are trying to manage accounts natively.

Two additional team-wide security features are SSO and IP whitelisting. Utilizing single sign-on for Sprout is strongly recommended if it is something your team already uses for other tools. For an implementation fee, Sprout can connect your existing identity provider to the platform.

Using IP whitelisting means that if you have a corporate VPN, it may be possible to limit access to users logging in from approved IP addresses. This blocks outsiders from gaining access, even with other authorization credentials. Contact your Sprout representative for more information about IP whitelisting and SSO, and check out our security page for more general information on the Sprout platform’s security.

Guarding the gateways to social accounts and data

At the end of the day, the safety of your company’s social media accounts is in your hands. Once a plan and secure authentication measures are in place, the weakest link in the security chain is the human one. Stay aware of the changing cybersecurity landscape, and continually educate yourself and your team to stay ahead. Remain vigilant, and you can keep your accounts safe today and into the future.