In the flurry of growth and the craziness of day-to-day business, the last thing on your mind is making a policy about anything, especially something as dynamic as social media. As your small business has grown, your involvement on social media has grown along with it—chances are your social media accounts are integral to your digital marketing strategy, maybe even a direct driver of sales. While we like to think of social media in the warm fuzzies of marketing, community, and broadcasting, it’s not always roses. Imagine if your accounts were compromised and you lost control of what was said, or what images were posted.
This isn’t far fetched. In April 2016, the Facebook page of a small organic jewelry maker in Tennessee—The Vintage Honey Shop—was taken over by hackers and held for ransom. The co-owners and sisters-in-law, Jennifer and Melissa Gilkes were at a loss for how to regain control of their site. The social media page was one of the primary ways they connected with their customers, and it was a major driver of business. They struggled for days to recover their page, and until the media coverage, even Facebook was less responsive than they needed.
The Vintage Honey Shop eventually regained control of their Facebook page, but they learned a hard lesson in the process: You have to be proactive about security with your business’ social media accounts. The dangers small businesses face include:
- Brand sabotage (someone establishes a social account that mimics yours, but is out of your control)
- Reputation management (your brand is involved in negative interactions)
- Account compromise (hacking in, which another entity has control of your accounts)
In the wake of the debacle at the Vintage Honey Shop, Facebook offered tips to help small business owners secure their social media accounts, which we expand upon here. If you develop a solid social media use policy and follow best practices, you can help reduce the possibility of hacks to your social accounts.
Establish rules for access to—and use of—your social sites
Set clear rules of the road for who will access your social media accounts and what they will do. This includes access level and approver level. Even if your small business has only a few people right now, it’s valuable to create a policy and update it as you grow.
At the core of your social media use policy should be your social media strategy and your core values. Your use policy should facilitate your strategy without hindering workflow. Your core values will dictate how you respond to challenges along the way.
Begin by establishing a hierarchy of oversight, as well as duties and roles for each position: admin, editor, approver, analyst, etc. Remember, more people with direct access to posting on your channels implies more risk for misuse. Be sure to specify one person who has full responsibility for each channel. A well-defined role chart will help ensure that all the people accessing your social media accounts have oversight, keeping surprises to a minimum.
Next, establish guidelines for use of your social channels. This post is not going to go deep into how to establish a use policy, but here’s an article with some excellent sample social media use policies you can glean from. Use policy is about setting expectations for what you post, which protects your brand reputation by eliminating confusion. As you develop your use policy, keep in mind the following:
- Have you designated precisely who will respond to negative posts?
- Do you have guidelines for how to block/interact with disrespectful, negative users, bullies, and trolls?
- Are you able to ensure that all activity aligns with your social media strategy?
- Do you have a review process to ensure your posts don’t come off as insensitive?
Have a clear policy about the use of your name and logo on social sites so that an overzealous employee doesn’t establish a new social site on a platform without following protocol. For your brand, every action on social should be deliberate.
It goes without saying that you need to be aware of the activity on your social media accounts. You’ve got to have a vigilant eye, tracking your accounts every day. Here’s why:
Reputation management: Your social accounts are your brand showcase—keep them under your control. You don’t want to stumble into a situation where a disgruntled customer or follower engages in a negative conversation on your pages. Negativity can be contagious, but perhaps more importantly, the rest of your network will want to see how you put out the fire. (This is why you should have a policy in place for dealing with negativity in a way that shows your brand at its very best).
If your brand created or hosts a Facebook group or LinkedIn group, you can control the flow of membership by admin approval. Once you set the criteria for who can join, stick to the rules and allow members to join only by admin approval. Remember, if your brand is associated with the group, you need to be sure that the activity of the group stays professional and on-task.
Quickly catch any breaches in security: Vigilant monitoring will help you catch any hacks or viruses that might be compromising your accounts, allowing you to quickly respond. The faster you respond, of course, the less damage your business will suffer.
Earlier, we talked about setting access and use policy. The following tips will help you follow best practices for user administration.
Remove account access as soon as an employee terminates
You can’t always anticipate when an employee will be disgruntled enough to retaliate after they’ve left your company. But if you do have an unhappy former employee with access to your social media accounts (as well as your other accounts), you could run into a retaliatory hacking situation as happened to the Los Angeles Times. Why leave the risk hanging out there? When users leave (or notice has been given), make sure that social account access is one of the first accesses you remove.
In fact, to be thorough, your social media administration policy should consider all aspects of an employee separation.
Use two-factor authentication
Two-factor authentication, or 2FA (also known as “login approvals” on Facebook and some other social platforms), pushes users to enter a secondary login credential on a device that’s tied to their identity (like a cell phone) in order to access an account. This adds an additional layer of security in case a password or PIN has been lost or stolen.
The downside? It can make login a little more labor intensive, but if it holds off hackers, it’s worth it. Think about it, if so many major social media platforms have set up 2FA, there must be a good reason for it, right? Here’s how to set up 2FA on your social accounts:
Define which devices can access your social platforms
If you allow access to your social media portfolio via mobile devices, establish policy on how your employees should secure the device, how quickly they should report on lost or stolen devices, and where they should report it.
Keep on top of shared password use
At the end of the day, passwords are the keys to the kingdom. While they aren’t 100 percent hack-proof, you can follow some best practices to reduce your risk.
- If your team shares an account password, change it when someone leaves the team
- Change passwords every six to 12 months
- Use tools like Lastpass to generate long, random-character passwords
Stake out social channels with your brand name
Most likely, you don’t have the time and energy to handle a gazillion social media accounts, and no one expects you to overextend yourself. On the other hand, there’s a good chance that your fans do have social accounts on those other platforms, and if you haven’t staked out an account on the other major social channels, you could run into trouble later.
If you want to prevent an imposter posing as your brand on those channels, potentially doing your brand harm, you can stake a claim to a branded social account. Even if it remains inactive, you’ll have an official page, and you’ll make it that much harder for an imposter to sabotage your brand.
Likewise, if you have an account in place that you aren’t using now, you’ll be free to start using it later without having to buy it back from someone who has already taken the name.
When you establish policy, anticipate growth, and make sure that you review policy on an annual basis. Of course, if your business has undergone rapid growth, you should review policy even more frequently.
Many small businesses figure that it’s unlikely that their brand would be high enough on a hacker’s wishlist that they would have to worry about a specific threat. But then again, the Vintage Honey Shop mentioned above probably had little reason to worry, too. For a small business, it can be a nightmare untangling a hack like that. In the end, you never know who may have reason to compromise your accounts. It’s always better to be safe than sorry. Always.