This document provides guidance on preventing social media hacks and responding if hacking occurs. To prevent hacking, it recommends using robust passwords, limiting account access, controlling cookies, educating users, and being careful with mobile devices. If hacked, the five steps are: 1) regain control by resetting passwords; 2) protect other platforms; 3) get accounts back to normal by deleting unwanted content and checking settings; 4) let your audience and employees know; and 5) thoroughly review security measures.

1. Social media security
How to prevent hacks and manage
them if they happen

2. 1. Preventing hacks1. Preventing hacks

3. Why are social media hacks a problem?
• You are the CEO of a bank, tweeting regularly,
and generally being hip
• And then your Twitter account is hacked.
There’s a tweet in your name that says the bank
has made huge losses and doesn’t have enough
money to pay account holders
• People panic and there is a run on the bank…

4. How do hacks happen?
• People who want to cause mischief can get
access to your password in a number of ways:
– Passwords are hacked using “brute force” software that runs
through all the possible combinations of letters and numbers
– People steal (or find) unprotected portable devices
– Devices are infected with spyware (often after a phishing attack)
– Passwords are not changed when an employee who knows
them leaves the company
– The password is stored on a shared personal device which
allows access by non-authorised people
– Password lists are made available to non-authorised people
• So what can you do about this?

5. How can you stop hacking?
• You can’t be sure of preventing hacking
• But you can take some basic steps to make it
less likely that people will succeed:
– Use robust passwords
– Limit access to social media accounts
– Limit direct access to social media accounts
– Keep in control
– Watch out for Cookies
– Educate people to avoid phishing attacks
– Take care with mobile devices

6. Use robust passwords
• Ensure passwords are strong
– minimum of 12 characters including at least one each of capital
letter, lower case letter, number, keyboard symbol (e.g. ! $ % &)
• Don’t use words or names in the password
– Password isn’t a great password
– And people realise that numbers are commonly substituted for
letters: So P455w0rd isn’t great either!
• Think of a phrase and use the first letters:
– I love my wife Delvina and my two boys Caspar and Tarquin!
becomes IlmwD&m2bC&T!
• Ensure passwords are different for all accounts
• Change passwords a couple of times a year

7. Limit access
• Audit number of people who have access (check
for 3rd
parties like agencies)
• Severely limit the people who have access
– If necessary appoint an “editor” who uploads content
written by other people
– Ensure that the contracts of people with access stipulate that
passwords must not be shared
– Keep a record of who has access

8. Manage access
• If you can, implement Single Sign On technology
to manage access to your social media accounts
• This means that people don’t have to sign onto
social media accounts directly
– they get access when they sign into your company network
• Preventing direct access means that fewer
people need to know or remember passwords
and that passwords can be changed at any time

9. Cookie attacks
• Some platforms (e.g. Twitter, Facebook) are
designed to remain open continuously
– This is so that you get access every time you go to your
computer or mobile phone
• Keeping an account open all the time gives
people an easy way into your account
– If it is open on a mobile device which subsequently gets lost
– if you are using a shared device and forget to log out.
• The most secure way to handle this is to require
access to corporate social media only via fixed
company equipment

10. Ensure you have control
• Some platforms (e.g. Facebook) say business
pages must be set up by private accounts
– Don’t allow individuals to set up these pages: create an account
representing your “corporate personality” instead
– If private accounts have been used, you may have to start afresh
even if it means sacrificing assets such as Likes
• If you ask people to Tweet or Post for you make
sure the accounts they set up are owned and
capable of being managed by the company

11. Avoid phishing attacks
• Phishing: a hacker sends you message “from”
your social network, asking you to log in to your
account and provides you with a handy link
• You enter username and password into a fake
login page, which promptly captures the data
– Often these attacks are personalised with your name and job
title (“spear-fishing”) and look very credible
• Prevent this through education. Train people to:
– Recognise suspicious emails
– Check the address of the site in the browser address bar
– Avoid links in emails and navigate directly to their account

12. Mobile devices
• Mobile devices represent a risk because they
can be lost or stolen
• Limit access to corporate social media accounts
via fixed computers in secure office locations
• If you need access outside the office (e.g. for
tweets at a conference):
– Protect the device with a robust password
– Make sure you have the ability to lock or wipe it remotely
– Avoid using password vaults that remember passwords for you
• If you are logging on to Twitter or Facebook on a
mobile device log off after you finish

13. Wi-Fi
• Wi-fi connections may be insecure or dangerous
• Check to make sure you are using the official
wi-fi (check the exact name)
– Don’t be tempted to use an alternative wi-fi even if seems to
offer easy access
• Don’t use the corporate account to tweet on wi-fi
– Set up a secondary account and use it for out-of-office events
– Use the event hashtag in tweets to ensure that people find your
posts
– Get colleagues to follow the secondary account and share your
posts via the main corporate account as soon as possible

14. Educate
• Most protection can be gained through
education
• Help people understand where the risks lie, what
they can do to minimise them, and why it is
important

15. 2. Five steps for2. Five steps for
managing if you aremanaging if you are
hackedhacked

16. Step 1. Regain control by resetting
passwords
• Change the password on the account (to
something harder to hack)
• If the hackers have changed the password, reset
it using the forgotten password link on the site
– At the same time change the password of the account
administrator’s email address as this may have been hacked too
• If the hackers have locked you out of your
account contact the social platform directly:
– Search [platform name] AND hacked OR compromised to find
the right page

17. Step 2. Protect your other platforms
• Now check all your other social media platforms
and ensure they have not been hacked as well
• If they are safe check that they have a secure
password and that this is different from the
passwords on your other social media sites

18. Step 3. Get back to normal
• Get your social media accounts back to the state
they were in before the hacking incident
• Delete unwanted content
– Delete any content sent out without your authorisation
• This doesn’t guarantee it will disappear completely and for
ever as other people may have saved or shared it
• Check your account settings
– Make sure there aren’t any nasty surprises waiting for you
• Have any automated responses been altered?
• Does your profile contain strange links?
• Have any Twitter lists been tampered with?
• Do you have unexpected new some “friends”?

19. Step 4. Let people know
• Tell your audience
– Post messages to followers apologising for any offence caused
• Pay to promote these messages if the hack was serious
– Put a message on your website and any other content such as
blogs and social media profiles
• Tell your employees
– Reassure them and tell them what to do and say if they are
asked about the crisis by friends or peers
• Tell the media
– Especially if the breach is potentially damaging you will want to
make sure the media have your version of events

20. 5. Review your security
• Review security to reduce the risk of anything
similar happening again
– Ensure that you have followed the advice in the first part of this
presentation
• Review any applications that have access to
your accounts; remove any you don’t recognize
• Run a virus scan on devices that have accessed
your accounts including mobile devices
• If available, set up “2-factor authentication”
(unless you have Single Sign On software)
• Make sure employees are properly educated