Social Media - the privileged account no one talks about
Social Media - the privileged account no one talks about

This year, so far, has seen data breaches aplenty. Hackers have been quick to take advantage of and exploit the oversights of large corporations and in doing so, have made headline news all over the world. Personal data has been stolen, leaked and sold, and the reputation of businesses tarnished in the process- yet time after time, we see the same mistakes cropping up; one of which happened to be the businesses approach to how social media presence is handled and practiced when dealing with accounts.  

Not too long ago, HBO was faced with that dreaded, sick feeling of finding out that someone hacked its Twitter or Facebook accounts. Hackers managed to take over social media channels and post messages from the corporation- although it didn't take long for HBO to regain control and seemingly delete all evidence of the hack. However, the power of the screenshot once again prevailed and it wasn't long before the topic was trending on twitter and being discussed by thousands of people worldwide. Coming so quickly after a widely-publicised breach, this once again thrusted the company into mainstream headlines, subsequently putting its security systems in the spotlight opening the company up to widespread scrutiny- both within the industry and outside.

Sadly, HBO is not the only corporation to be neglecting social media safety. In many cases, businesses are not treating their brands and good-will the same way they are treating other corporate assets like HR or finance systems. Most businesses force password changes and two-factor authentication on users of internal systems. More forwarding thinking companies have even implemented privileged account management systems that allow the check-out of passwords to high-value or high-risk systems and then randomise those passwords when they are checked back in.

In some cases, a privileged account management system may even disable an account when it is not being used by someone, making that account nearly hack-proof. However, companies seem to be slow with realising that their Twitter, Facebook or LinkedIn accounts and passwords require exactly the same protection as any of their high-risk or high-value internal systems. Why is that? The story in question is a great example of a well-known company having damage done to its brand by a group of hackers. Unlike a financial system or an HR system, the loss of brand reputation is incalculable but acknowledged to be very high. Notwithstanding the fact that the brand is damaged every time an article is written about what happened.

There are of course many questions corporations need to ask themselves when approaching how to manage their social media safely; for instance- is it too inconvenient to have to check-out a password when you want to Tweet or update your company's status on Facebook? Do you have many social media employees who all must have access to the same social media accounts at the same time so you're sharing a password with many? Controlling social media use from a brand perspective is not just about hacking and companies need to make decisions about who they are comfortable with representing them to the big wide world.

One possible answer is that most modern privileged account management systems give you the capability of defining policies like “require check-out after hours”, “require check-out if outside the network”, or “wait for check-in before check-out” to ensure that only one person is posting at a time - it's even possible to ensure that the social media employees never see the password that they are checking out. A combination of these types of policies could easily level-up the protection of any social media (privileged) accounts. A really good system would also ensure that any passwords used by employees that aren't randomised are checked against a list of known, hacked, passwords that are in the dictionaries of most hackers. A great example of some of these well-known hacked passwords include: starwars, 123456 or qwerty.

It's really time for companies to start protecting their Facebook, LinkedIn, Twitter, Tumblr, Instagram and all other social media systems just like they would for their accounts payable or human resources systems. There are no technical excuses- safe social media is invaluable in ensuring that brand reputation is not compromised.

Contributed by Jackson Shaw, product manager,One Identity

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.