Light Dark
May 25, 2016 By Lucie Hys 4 min read
Identity & Access
Risk Management

You may have heard that 117 million LinkedIn user credentials are up for grabs on the Dark Web for just five bitcoins, or about $2,200. As this most recent attack emphasized, the social media hack is a popular option for cybercriminals.

Social Media Is a Popular Target

According to a survey by the University of Phoenix, nearly two-thirds of U.S. adults who use social media say they are aware that their accounts have been hacked. With 76 percent of online adults using social networking sites, according to the Pew Research Center, that’s quite a decent repository for the black market.

While the LinkedIn hack has mostly made individual users nervous, companies should be worried too: Those regular users are the very people who have access to a company’s social media accounts. Users often manage company pages through their personal accounts as well, so once attackers gain access to a personal account, they can easily move on to all the pages that a given individual controls.

Fortune 100 brands experience at least one compromise on their social media channels every business day. Wondering what can happen when cybercriminals get their hands on your company’s account? It depends on their agenda. Common goals include getting access to information, taking advantage of the brand’s credibility for spamming purposes and embarrassing the company. But whether for monetary gain or to harm the company’s reputation, cybercriminals pose a serious threat to corporate social media accounts.

Three Ways to Prevent a Social Media Hack

Many companies had to learn this the hard way. While social media hacks can be very crafty, many times you can avoid trouble if you follow these three steps.

1. Educate All Employees

This is the most important point to follow. While you should pay special attention to instructing those who have direct access to your company’s social media accounts, all employees should go through basic social media safety training.

Considering that people check their social media accounts a staggering 17 times a day and more than 60 percent of enterprises allow employee use of personal devices to access corporate data, cybersecurity has quickly become everyone’s concern. Training sessions should specifically focus on fostering good password hygiene, recognizing spam and phishing attempts, sharing personal information and establishing privacy settings.

2. Limit Access

I have read articles that advise not giving social media staff access information at all and instead letting them use third-party tools such as Hootsuite or Sprout Social. That’s usually not feasible; someone on the social media team will likely need to know account information to fulfill certain job responsibilities such as advertising or adding other tools.

However, not all employees on the social media team necessarily need to know the login information to your accounts. By using third-party management tools, more junior employees or occasional users who don’t necessarily require full access credentials can publish and monitor the accounts without having control over settings. Only trusted, reputable apps should be allowed to connect to the account.

3. Make Good Password Hygiene Easier

Every company should have a social media security policy in place, and it should have guidelines for proper password use. Make this document easy to find and digest. Since people learn better through visuals, it’s a good idea to highlight key points with images or infographics.

For the employees who have the keys to the castle (typically the company’s social media managers), create a checklist that gets emailed to them every three months as a reminder to:

  • Change the passwords on social media accounts and third-party management tools per company guidelines (e.g., minimum number of characters, upper- and lowercase letters, letters and numbers included, etc.).
  • Avoid reusing the same password.
  • Verify that the information connected to the account (e.g., email, phone number, etc.) is current.
  • Remove admins who no longer need access.
  • Eliminate apps that no longer need access.

For accounts that are administered via employees’ personal accounts, prompt them to change passwords there as well. Two-factor authentication should be enabled on sites that offer this option. If an employee who had access to these accounts leaves the company, the password should be changed immediately.

Passwords Present a Challenge

A big challenge that continues to haunt companies is that even though employees are often aware of good password hygiene, they choose to ignore it. Many sites give guidance on strong passwords when creating a login, yet easy-to-hack passwords like “123456” and “password” continue to top the popularity charts.

Since stronger passwords are often harder to remember, users simply opt to let convenience trump security. They either pick trivial passwords when possible or, if the system forces users to set stronger passwords, they write them down. Did you know that anyone could walk into an office and see 20 percent of passwords written on a sticky note?

To encourage staff to adopt good password hygiene, educate employees on the use of a password manager. While not foolproof, it is a more secure option than not having one at all.

Starting the Process

Where should you begin when trying to avoid a social media hack? Sit down with your social media staff and ask the following questions.

 |  |  |  | 
Lucie Hys
Product Marketing Manager, IBM Security

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature