Setting up your business social media securely
Good online security practices should be a top priority for your social media account even if it is only one component of your business.
Why it matters
It takes a long time to build your reputation and consumer base on social media and losing access to your account can have a significant financial and emotional impact.
If you’re a business owner, you probably rely on social media to some extent, from building your brand to sales. Scammers know how valuable social accounts are and target them often.
If they gain access, attackers can lock you out of your account and target your customers with phishing campaigns and other scams. These attacks can do severe damage to your brand and your customer's trust.
Protect your social media account
-
Start with strong passwords
Attackers can take over your account by getting your password. The most common ways they do this is by:
- getting you to click on a phishing link and tricking you into entering your password,
- obtaining your password through a data breach, or
- simply guessing a weak password.
A long and unique password is your best defence against account takeovers. You can find more on how to create good passwords here.
If you have multiple social media accounts, use a different password for each one, which should also be different from all your other online accounts. For example, don’t use the same password for your Instagram account as you do for LinkedIn. That way, if someone gets one of your passwords, it won't give them access to your other accounts.
Use a password manager to securely store your passwords but avoid saving your passwords on your browser. Encourage your employees to do the same.
-
Enable two-factor authentication
Enabling two-factor authentication (2FA) gives you a second layer of defence so even if someone has your password, they won’t be able to access your account. It's a simple tool, but incredibly powerful in stopping attackers. We recommend you turn it on across all your social media accounts and any other important accounts including emails and banking.
-
Keep your device and apps up to date
Device manufacturers and app developers frequently release updates when they need to add a new feature or to fix security issues. Keeping your social media apps and the device you use to log in to them up to date helps protect your account from online attackers who are looking for a way to get into your accounts. You can also turn on automatic updates for your apps in your device settings.
-
Create a social media policy
You may have more than one person with access to your social media accounts. This could include an external agency. Having a social media policy document will mean that:
- you have guidelines in place around who can access your social media accounts,
- you can better explain to your employees, your expectations around how your social media is used, and
- if there is a security issue involving your social media, people in your business can refer to this document for what to do next
Your social media policy should outline who gets access to your accounts, rules around what to post, rules around moderating interactions, and what to do in the case of an online event.
Your staff should only have the minimum level of access they need to do their job: this is known as the 'principle of least privilege'. While it's good to have backup options in case staff are unavailable, the fewer people that know the passwords or have admin rights, the lower the risk of unauthorized access.
You can also put in place security requirements, such as mandatory 2FA for anyone accessing the account. When employees with access to social media accounts exit the organization, promptly revoke their access and change the passwords, to decrease the risk of unauthorized access.
Storing passwords in a password manager also increases your security. A password manager is like putting your passwords into an online safe that only you have the key to. Using a password manager is an easy way for you and your staff to keep track of all the passwords used to access businesses accounts such as social media.
-
Keep the master key with you
Social media accounts are linked to an email account which owns the account. This master email is also used to change passwords and to retrieve your accounts. If this email is compromised, an attacker can lock you out of your social media accounts by resetting your passwords.
Secure your email account with the same protections as your social media account above with a long, strong, unique password (not the same one as your social accounts) and two-factor authentication.
If you have more than one person with access to your online accounts, you can choose to keep the password for the master email account with you so nobody can reset the password without you knowing.
-
Be on the lookout for phishing
Phishing is the most common way for cyber criminals to get a foot in the door. All it takes is for someone to click on a wrong link and the account could be compromised.
It is very important to be able to spot a phishing email or message when you see one, and to train your employees to do the same.
Get help
If someone has gained access to any of your online accounts but hasn’t locked you out.
Change your password immediately. Once you have secured your account, set up two-factor authentication (2FA ) to protect it from future attacks.
In the settings menu you should be able to see what devices currently have access to the account and what other apps might be connected. Use this to remotely disconnect anything that isn't a known device, then log back in on the devices as needed.
If you have lost access to your account and can no longer log in.
You will have to work with the platform where your account was compromised. Most social media platforms have a section to help you recover your account. You can find some of the most common ones here.
- Hacked and fake accounts | Facebook Help Centre
- My Instagram was Hacked | Instagram Support
- My account has been hacked | TikTok Help Center
- My account is compromised | Snapchat Support
Report the issue to CERT NZ
Once you have contacted the social media platform, report the incident to CERT NZ and we can help you determine how the compromised happened and how you can secure your accounts moving forward.