McDonald’s has become the latest big name to have a social media account hacked when their official Twitter account attacked US president Donald Trump, calling him a ‘disgusting excuse of a president’. Worst of all, the tweet was pinned, giving it maximum visibility for the 15 minutes before it was deleted.
McDonald’s isn’t the only large organisation to be hit. CNN, PlayStation, Viacom, Forbes and the BBC’s North American service have all been targeted. If you thought social media hacking was a problem only SMEs and personal users experienced, think again.
Protecting your social media accounts has become critical in an age where hacking appears to be vogue. When even Mark Zuckerberg himself can be subject to a breach, no-one is immune.
Here are a few steps your company can take to beef up its social media security and give itself the best possible chance of avoiding a hack.
1. Create strong passwords and don’t re-use them
It’s tempting to use the same password for each of your social media accounts and third-party platforms such as Hootsuite. Tempting but potentially costly.
Mark Zuckerberg used the same password for his Twitter, Instagram and LinkedIn accounts – reportedly ‘dadada’. “Zuckerberg appears to have the same security weaknesses as the rest of us,” noted Alex Hern, a technology reporter at the Guardian. “Reusing passwords is a bad idea even if you aren’t a billionaire with a target painted on your back.”
‘dadada’ is an inexplicably weak password for one of the world’s foremost social media experts, scoring 0% and being rated as ‘Very Weak’ by Password Meter. Passwords should ideally be at least eight characters in length, and contain a mixture of upper and lower case, numbers and symbols. The longer the better.
There are a number of useful tools that can help you create complex passwords for each of your accounts. You only need to remember one password for the tool, which will take care of all your other password needs for you.
2. Prepare your staff
No amount of expensive tools or software can protect you from human error.
There was a huge increase in phishing attacks in 2016 – more than at any other point in history. It’s vital your staff are trained to be vigilant and able to identify the risks.
Most people nowadays know to hover their mouse over a link to reveal the real URL before clicking on it, but scammers are becoming more sophisticated and are able to disguise fake emails so they appear more authentic.
3. Update passwords
It’s considered good practice to change your passwords on a semi-regular basis. But how often?
Data security expert Lorrie Cranor argues that forcing employees to change passwords regularly – such as every three months – actually makes their accounts more susceptible to being hacked. People become lazy and put little effort into making their new password difficult to guess, often adding a different number each time on the end of their old password (‘johndoe1’ will become ‘johndoe2’ for instance).
Password security expert Mark Burnett suggests once or twice a year is plenty. “With a strong password, there is little to be gained having to change it every few months,” he said. “Six months to a year will result in a better experience for users and allow for stronger passwords.”
4. Secure email accounts
In June 2016 the official Twitter account of the National Football League (NFL) was hacked, with a tweet announcing commissioner Roger Goodell had passed away.
The tweet was deleted and fans reassured that Mr Goodell was alive and well, but the upsetting damage had been done. “We got into a social media employee’s email and found the account password there,” one of hackers said.
So don’t stop at securing your social media accounts, extend your focus to any system, account or piece of software that hackers could use to find out your passwords.
READ MORE: 11 Ways to Avoid a Social Media Crisis
5. Two-factor authentication
It might be a slight annoyance that adds an extra cog in the process, but two-factor authentication is an important weapon in the battle against hackers.
Also known as 2FA or TFA, two-factor authentication requires the user to provide further evidence of being the account owner by using something that only they possess – such as a mobile phone or card device for banking transactions.
Tools such as Authy offer 2FA for Facebook, while Twitter has a native offering.
A word of warning, however. Black Lives Matter activist DeRay McKesson had his Twitter account compromised despite using two-factor authentication. Hackers managed to gain access to his phone account and were able to re-route his text messages, thereby giving them the second key they needed.
6. Hire a hacker
Well, not an actual hacker, but an expert who will attempt to find a way through your IT infrastructure. It’s called penetration testing, and it’s a useful exercise for brands who are serious about securing their systems.
“Security clearance is a very valuable thing these days,” says Dan Haagman, director of operations at information security consultancy 7Safe. “Would you trust an ex-burglar to do a security audit on your house?”
The implied answer is ‘yes’. The McDonald’s social media team assumed their accounts were safe until someone looking for a way in managed to find one.
If you aren’t looking, you won’t see it.