Keep your corporate social media accounts secure by ensuring you have a few practical measures firmly in place.

Social media can be a real boon for businesses. Whether you’re customer base is primarily active on the more B2B sites like Twitter and Linked in, or the more engaged sites like Facebook and Instagram, reaching out to them - and of course trying to attract more followers with organic and paid-for exposure - is simple and effective, right?

Well, not quite. Social media is, of course, great, but it has its pitfalls, and there are measures that every business should have in place to ensure that the security - and integrity - of the accounts is #OnPoint.

This guidance explains how you can reduce the likelihood of damaging content being posted within your own social media channels. Even if you already have an established process for posting social media content, we recommend you take a moment to review how you're using it.

This guidance is primarily for all staff responsible for setting up social media accounts. However, all staff involved in the creation, review, approval and publication of content for social media channels will also find it useful, especially those staff involved in procurement of social media tools.

Make sure that only authorised staff can publish content

Implementing a sound password policy to control access to social media accounts can help ensure that only authorised members of staff can publish content. Most social media products (including social media management tools) contain additional security features such as two-factor authentication (2FA), so make sure you switch this on. Doing so will protect against attacks on those accounts that are only protected by using passwords.

There may be several people within your organisation who need access to the social media account, including the ability to publish content. In such cases:

• Ensure that account access logging (if available) is switched on. This will provide an audit trail for unauthorised posts, or anomalous access to the account.
• Use credential protection mechanisms, such as password managers.
• Make sure passwords are stored securely; do not store passwords in plaintext in files, or in shared, unencrypted documents on servers which can be easily accessed by unauthorised persons.
• Avoid sharing passwords, if possible. Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight. Some password managers allow users to share passwords in a more secure way (for example, they can audit access to the password and automatically sync password changes). For more information, refer to the section on managing shared access within the NCSC's password administration for system owners guidance.
• Using Privileged Access Management (PAM) solutions can further protect the social media accounts, as these can help to secure passwords as well as auditing user access.

Managing leavers and movers

If a member of staff with access to your social media channel leaves your organisation (or even changes roles), make sure their access to all such accounts is revoked if it's no longer required. This needs to be done promptly - ideally before they move - in case there's any animosity surrounding their departure or move.

Doing this should form part of your organisation's wider process to manage 'joiners, movers and leavers', which should cover managing access to all IT systems. If you're using shared passwords, changing these passwords needs to be carefully managed as part of the leavers process.

Use social media platforms (and management tools) that provide good security features

When choosing a social media platform to use, you need to consider cyber security risks involved, and the security functionality each tool provides. Such risk considerations should include:

• Does the platform support 2FA for content and account management?
• Does the platform have a password or account recovery mechanism?
• Does the platform have an incident response mechanism for notification, or reporting of issues?
• How does the platform cover legal and regulatory issues (e.g. GDPR and protecting personal data for authentication)?
• Do the providers of the platform describe how they protect data?

Social media management tools

The criteria above should also be applied to any social media management or content management tools. These are tools that work in conjunction with major social media platforms to simplify the process of scheduling, posting, and responding to content. In some cases, a single piece of content can be simultaneously published across multiple social media channels. It's therefore essential that these social media management tools are afforded the same amount of protection as access to the social media platform itself.

Use corporate devices to create and publish content

Where possible, social media staff should always use work devices to create and publish content. Staff who use their own devices may end up inadvertently posting content that's intended for their own channels on the organisation's channel, or vice versa.

In addition, devices that are not managed by your organisation are harder to secure and maintain, which increases the risk of credential compromise by an attacker. It's also harder to put emergency recovery plans (see below) into action (which includes revoking access to social media tools) if you're not dealing with a managed device.

Put an emergency recovery plan in place

If an employee (or anyone else with authorised access to the account) is publishing damaging content, you'll need to make sure you're able to quickly revoke their access, most likely remotely. This will include managing access to any password vaults or password managers (where used) which contain corporate social media account access credentials.

If your social media channel is hijacked by an attacker, your priority should be regaining control of the account to contain any damage, rather than trying to correct any malicious content that's been posted.

Most social media tools provide the means to verify the owner's account(s) using extra identifying information in the case of an account compromise. Make sure you know how to access this recovery information, and that it's kept up to date. If an attack has also accessed this account recovery information, then the only recourse might be to contact the social media platform owner.

Don't wait until you're in the middle of a real incident before finding what you need to do to regain control. Ensure you know in advance who to contact, and what information you'll need in order to identify yourself to the social media platform owners. For more information about how to recover accounts, refer to the relevant online support pages for your chosen platform or social media management tool.

For more general information about recovering online accounts, refer to the NCSC's guidance on recovering a hacked online account.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).