How Secure Are Your Company’s Social Accounts?

Thursday, September 07, 2017

Jackson Shaw


HBO, and many other companies, have been faced with that dreaded sick feeling of finding out that someone hacked their Twitter or Facebook accounts. In many cases, businesses are not treating their brand and good-will the same way they are treating other corporate assets like their HR or finance systems.

Most businesses force password changes and two-factor authentication on users of internal systems. More forward thinking companies have implemented privileged account management systems that allow users to check-out of passwords to high-value or high-risk systems and then randomize those passwords when they are checked back in. In some cases, a privileged account management system may even disable an account when it is not being used by someone making that account nearly hack-proof. However, companies seem to be slow with realizing that their Twitter, Facebook or LinkedIn accounts and passwords require exactly the same protection as any of their high-risk or high-value internal systems. Why is that? Why aren’t companies at least turning on two-factor authentication, at a minimum?

The story in question is a great example of a well-known company having damage done to their brand by a group of hackers. Unlike a financial system or an HR system the loss of brand reputation is incalculable but acknowledged to be very high. Notwithstanding the fact that that a brand is damaged every time an article is written about what happened to them. (I love HBO and I will continue my subscription nevertheless!)

Is it too inconvenient to have to check-out a password when you want to Tweet? Or update your company’s status on Facebook? Or use two-factor authentication? Do you have many social media employees who all need access to the same social media accounts at the same time so you’re sharing a password with many and two-factor authentication doesn’t work for shared accounts? Most modern privileged account management systems give you the capability of defining policies like “require check-out after hours”, “require check-out if outside the network”, or “wait for check-in before check-out” to ensure that only one person is posting at a time. It’s even possible to ensure that the social media employees never see the password that they are checking out! A combination of these types of policies could easily level-up your protection of your social media (privileged) accounts. A really good system would also ensure that any passwords used by employees that aren’t randomized are checked against a list of known, hacked, passwords that are in the dictionaries of most hackers. A great example of some of these well-known hacked passwords include: starwars, 123456 or qwerty.

It’s really time to start protecting your Facebook, LinkedIn, Twitter, Tumblr, Instagram and all other social media systems with as much security as your accounts payable or human resources system. There are no technical excuses.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Possibly Related Articles:
Enterprise Security Security Awareness
Social Media Instagram Account Protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.