Protect your agency from security risks on social media
- By Ben Cathers
- Mar 12, 2019
Government agencies and social media are a natural fit. What better way to connect with citizens than through the channels they use to consume media, interact with others and connect to their favorite organizations? Social gives government an easy way to communicate with constituents on anything from road construction, to the details of local events, to instructions in times of emergency.
The platform social media provides both to engage with and listen to citizens is one of the reasons more agencies are making social a key component of their communications strategy to advance overall agency objectives. In an age where data is a valuable asset under near-constant threat, protecting social media accounts is critically important, yet it is often overlooked amid the very real challenge of managing security threats amid budget and resource constraints.
Our public-sector partner for Hootsuite products and services, Carahsoft, has direct insight into these challenges thanks to its first-hand interactions with agency customers. “The discussion around social media security has largely been overlooked, left in the shadows of topics like securing mobile devices, communication, and network infrastructures,” Carahsoft Social Media Manager Anna Easterbrooks said.
That means getting in front of the potential risk is critical and should be a priority for 2019.
The consequences of a government-managed social media account falling into the wrong hands are intimidating at best with far-reaching impacts both for the agency and its constituents. Anything from an "industrious" student announcing a school closure to a breached military account declaring war are potential risks when social media management access is compromised.
According to the 2018 Social Government Benchmark report conducted by Hootsuite, only 39 percent of government social media officials are confident in their agency’s current security practices. That number is concerning. The lack of confidence is due to agencies having neither a response plan for compromised social media accounts nor a formal communications strategy to deal with a social media attack.
The threat of attack on social media may be a new concept for many agencies, particularly those unaccustomed to being public facing. False narratives have the potential to last longer and go viral via social media, potentially compromising an agency’s reputation. While the risk varies depending on the type of agency and its degree of sensitivity, any time citizens lose confidence in an agency, that trust becomes more difficult to reestablish.
But rest assured, governments that take a proactive approach to cybersecurity and build a culture around new technologies can enjoy the benefits of engaging with citizens on social media without the risk of access breaches or hacks. This three-step plan was developed to secure an agency’s social media use without sacrificing team accessibility or overall budgets:
1. Plan the team’s access. Rather than unilaterally sharing social media account passwords within the agency, plan and keep an active list that identifies who needs access, to which accounts and to what degree. Work with human resources to put a strategy in place for when a social media manager leaves, including how to quickly revoke access and change account passwords. Social media management platforms can be a crucial tool to ensure security. Select a platform that lets users set customizable permissions based on roles, as well as workflows for content approval and publishing. Constantly review social media access policies and amend/revoke access as needed.
2. Use multifactor authentication. Requiring the presentation of two or more pieces of evidence to sign on to a system can create more secure access to social media accounts the same way it does for internal networks and email and should be enforced for all types of accounts. Decide whether multifactor authentication will be done via app-based integration, email or text. Then, designate someone to be in charge of receiving and approving notifications. Create a deeper level of intelligence with a security plan for investigating any failed login attempts.
3. Build a social media specific emergency response plan. A well-developed and communicated emergency response plan will empower communications teams to react appropriately when passwords need to be changed on multiple social media accounts. Within that plan, include how to reclaim channels and communicate information to stakeholders in case of a breach. If a crisis occurs, be sure to post updates and respond to inquiries in real time and on a 24-hour cycle -- communicating what happened, what is known so far, what actions are being taken to correct the issue and where the audience can go to find out more.
The need for a multilayer security plan to protect both an agency's brand and stakeholders cannot be overstated. Security gives communications teams the confidence to leverage use social media to connect with those who are looking for information and leadership.
Ben Cathers is the government and financial services principal solutions consultant at Hootsuite.