Social media handles of organisations they represent are often associated with the company’s brand and identity itself. If someone else gains control of the handle, they can damage the company’s reputation by posting inappropriate or misleading content.

It is said that nearly 20% of small and medium businesses have had their social media accounts hacked.

Here are some interesting incidents from the past: 

• Concerned about fake news and hate speech, Sweden’s public radio closes Twitter accounts LINK
• Prime Minister Narendra Modi’s Twitter account was hijacked in 2021
• Popular Gaming Company PubG’s official YouTube account was  hacked 
• Union Ministry of Information and Broadcasting’s Twitter account was hacked last year
• Elon Musk’s twitter account has been hijacked repeatedly in the past to pump and dump Bitcoin scams.

Recent incidents targeting the accounts of the brands and large organisations have prompted regulators to call for additional measures to safeguard social media accounts. 

In fact, In India Reserve Bank of India (RBI) in its master directives for NBFCs has explicitly called out for its safeguard:

What should you do to safeguard your Organisation’s Social Media Accounts ?

If you are managing company’s social accounts, here’s a checklist to ensure they are secure:

1. Use official company email IDs to manage and map social accounts. I have seen personal email accounts used for managing brands. This could also lead to problems once the employee quits. Also, as these non-company email IDs are un-managed it is difficult to enforce security controls around them.
2. Enable multi-factor authentication (MFA) to require two components for login. Even in case of password leak or theft, the hackers would still need the MFA to gain access. 
3. Do not reuse passwords across different accounts. Hackers often try to see if a password found in a leak can be reused elsewhere.
4. Get company’s official accounts verified for assurance and credibility. Prioritize and get this done as too many fake listings are causing a great loss for the customers. 
   • Google Maps has a fake business listing problem – https://www.theverge.com/2019/6/20/18693144/google-maps-fake-business-listings-investigation-report
   • Of late there have been numerous incidents of fake listings of customer support in the name of the companies, especially Fintechs. Many customers have lost money by calling up these numbers for their queries and have paid their loan amounts, penalties only to realise later that these are fake listings adding to their burden. Fraud Alert: Social media outreach for customer support can get you scammed https://www.medianama.com/2023/02/223-fraud-scam-social-media-customer-care-bots/ 
5. If your company is using third-party tools or plugins, routinely review them for any vulnerabilities. A common phenomenon I have encountered during web security audits is that websites hosted using CMS like WordPress, Drupal etc often use the plugins which are integrated for social shares, marketing, analytics etc. If these plugins are not updated, chances are they can be hacked and gain entry into the websites. If your corporate website is hosted separately from the web applications,  the damage is limited. If not this could lead to much serious data breaches.
6. If you engage third-party agencies, or consultants, ensure you review their security practices and is in line with all the regulatory requirements. Regulators like RBI, SEBI mandate that even the Third-Parties should have the same security practices outlined for regulated entities.
7. Regularly monitor accounts for any suspicious activity or unauthorized access.
8. Backup all social media account data regularly to minimize the impact of any security incidents or data loss.
9. Limit access to social media accounts to only authorized personnel and use role-based access controls. Managing multiple email accounts for social media channels can be challenging sometimes. You can create a distribution list if multiple people log in to the account and then set different passwords.
10. Consider using social media management tools to help manage and secure accounts more effectively.
11. If you are a CISO / Security professional for your company, please do spend some time with Marketing and Customer Support teams on they handle these channels with regards to logging in, content review. Please also pay attention on they handle sensitive information shared by customers over these channels.
12. Create a crisis communication plan to prepare for any potential security incidents, including who to contact, what to do, and how to respond to the public. You can write Standard Operating Procedures on these and share internally so that its easier in the event of a data breach.

Brand verification

Brand Verification is essential to confirm that social accounts truly represent your company. All platforms offer the option for brands to verify their accounts as official. Brand verification provides multiple benefits:

• Assures customers that they are interacting with official company accounts
• Adds credibility to information shared through verified accounts
• Prevents rouge accounts from creating channels using our company name
• Makes it easier to take down spam and unauthorized accounts

Verification Process Links:

Verification links for popular social media accounts are listed here:

• Twitter – https://help.twitter.com/en/managing-your-account/about-twitter-verified-accounts
• Instagram – https://help.instagram.com/369148866843923
• Facebook – https://www.facebook.com/help/1288173394636262
• LinkedIn – https://www.linkedin.com/help/linkedin/answer/125300/verify-your-work-email-address-on-linkedin?lang=en
• YouTube – https://support.google.com/youtube/answer/3046484?hl=en

If you found this useful, please like and reshare.

About Me: I help fast growing startups, fintechs and other companies  in the areas of Cyber Security. If you need pragmatic guidance or help in this regard, do not hesitate to get in touch with me: email@vprasanna.com