Securing Social Media: Why Applying Best Practices to Secure Social Media Accounts is So Darned Hard

Previously in our four-part series on securing social media accounts, we’ve shown that social media channels are critical to today’s businesses, but are also under attack and we’ve explored why social media accounts are so insecure, and the associated risks.

In this installment, we examine why organizations struggle to apply proven security best practices to their social media environments, even when they have sophisticated identity and access management systems protecting the rest of their infrastructure. Essentially, it comes down to:

1. Social media apps don’t integrate well with an organization’s existing identity controls.
2. Other traditional access management approaches (or workarounds) don’t work either

Implementing best practices for social media accounts is easier said than done

Recall from our earlier posts that:

• Social media accounts exist beyond the control of Identity and Access Management (IAM) and Identity Governance and Administration (IGA) systems
• Social media accounts have unique usage characteristics
• Because social media platforms are viewed as marketing tools, but are also disconnected from enterprise IAM systems, IT often assigns responsibility for managing access to the marketing teams

As we explain below, these three factors, sometimes in isolation and sometimes in combination, undermine efforts to secure social media access.

Best practice: Centralize control of accounts

There are reasons why the global market for Identity and Access Management solutions is expected to reach $43.1 billion by 2029. Leveraging broad integration throughout the IT environment, IAM provides essential functions including authentication, authorization, and identity management.

By centralizing account control, provisioning, and deprovisioning, pulling everything under the IT umbrella, the organization achieves the visibility, control, and automation needed to make resources available to users in a secure and timely manner.

In a typical IAM implementation:

• Users login to accounts and platforms from a single dashboard mostly using federated Single Sign On (SSO) made possible with standards like SAML
• Accounts are automatically provisioned, deprovisioned, and updated as people join, leave, and move around in the organization
• IT gains full visibility into access activity (i.e., at the level of each individual user), unified governance across the organization’s app stack, and accountability for every action taken

Why social media makes this a challenge

IAM and IGA platforms rely upon APIs and common identity and security standards such as SAML, SCIM, and OIDC and support for these APIs and standards among social media apps is rare and inconsistent. Social media apps are built to maximize user engagement by making it easy for individuals to create and use accounts, not to enforce enterprise-grade security controls.

Consequently, social media apps are “disconnected” (also sometimes called non-standard, non-federated, or unmanaged), meaning that they exist outside the control of identity providers (IdPs) like Okta or Microsoft Entra ID.

So while centralizing account control is crucial for securing and scaling the organization, applying this best practice to social media accounts is easier said than done. These limitations prevent IAM and IGA platforms from extending the consistent governance, oversight, and automation they provide across the rest of the enterprise.

Best practice: Securely share and track credentials

Sharing credentials is sometimes unavoidable, especially for apps or accounts that do not support individual user identities. In these situations, it’s essential to securely share and track credentials and their usage in order to reduce risk and maintain oversight. Without proper controls for shared access:

• Users may wind up with more privileges than they need, for longer than necessary, since all users sharing an account receive the same level of access
• The organization has limited or no visibility into which specific users are accessing which accounts, from where, or in what ways
• Investigations become challenging because it's difficult to attribute activity to a specific individual

Why social media makes this a challenge

The problem is complicated for a number of reasons. Some organizations may have only a single account with each social media platform, with likely many users who need access to each account. Other organizations may have multiple business units or geographical locations with separate accounts for each social media platform, with multiple users for each. As organizations and their reach grows, so do the potential gaps in access security. 

Plus, not all users of an organization’s social media accounts are employees or direct team members. External collaborators including agencies and contractors are common extensions of the internal marketing team, and also need access to these same communications channels.

Exacerbating the risks, shared credentials are often distributed through or stored within email, spreadsheets, or collaboration apps. For example, while sharing their experience working with Cerby, Siobhan Sullivan (Director of Global Community Marketing for Crunchyroll) said that, “We have over 300 social media accounts… I hate to admit it, but sometimes passwords would get shared in spreadsheets, emails, or over Slack.”

These informal sharing methods also mean that access is rarely reviewed or revoked, which increases exposure and makes compliance audits far more difficult. So long as organizations are unable to individualize access to social media accounts, shared credentials will remain common despite the obvious and significant risks they introduce.

Best practice: Organization-owned social media accounts

Unlike other systems, social media platforms still require accounts to be registered to an email address or phone number, which forces teams to rely on employee owned accounts. This creates gaps in visibility, recovery, and governance that become more severe as teams grow, responsibilities shift, and collaboration across regions and business units complicates access management.

Organization-owned social media accounts ensure that access, recovery methods, and authentication factors belong to the business rather than any single person. This prevents disruptions when employees change roles or leave the organization, reduces the risk of orphaned accounts, and gives security and IT teams the authority they need to enforce policy.

In an organization-owned model:

• Accounts are created using enterprise-controlled email addresses and phone numbers
• Authentication factors, including MFA, are centrally managed and auditable
• Ownership stays with the company, enabling consistent governance and continuity

This foundation allows organizations to apply identity and security best practices to social platforms with the same rigor and reliability they expect across the rest of their enterprise systems.

Why social media makes this a challenge

Social platforms are designed to encourage participation, so they make signups as simple as possible. Anyone can create an account with only an email address and a password, and platforms don’t prioritize ties to corporate identity systems. This convenience leads employees, agencies, and contractors to create accounts on their own, using individually owned credentials that companies cannot centrally manage.

The risks surface quickly. If an account owner leaves or changes roles, the business may lose access to the handle or experience delays that impede posting or engagement. If these unmanaged accounts are compromised, both the brand and its social media ad spend are exposed. The damage is not only financial. Losing a handle or having it misused can harm brand reputation and erase years of investment in audience growth. Individually owned accounts also make handoffs difficult, whether between employees or with agencies, and they create significant friction for collaboration. Multi-factor authentication compounds the issue because authentication prompts go to the individual owner, not the team. The result is a system that prioritizes platform growth over enterprise control, leaving brands exposed operationally and financially.

Best practice: Consistently enforce MFA without friction

When implemented correctly (i.e., without phishable fallback options), strong multi-factor authentication (MFA) based on the FIDO2 set of specifications is very effective at preventing account takeovers (ATOs). And yet, 89% of enterprises fail to enforce MFA (or the similarly effective passkeys) for social media accounts.

Why is that?

Most social accounts and their MFA factors are tied to individual employees rather than the organization, which makes consistent enforcement impossible. Enforcing MFA consistently on social accounts requires more than turning it on, organizations need to find a way to make it easier to share MFA access in a secure, frictionless way. 

Why social media makes this a challenge

As noted above, business social media accounts often rely on shared credentials, and the accounts are usually tied to personal emails or phone numbers. As a result, both the organization’s social media account and MFA factors are owned by an individual rather than the organization itself, creating structural blockers to enforcing MFA.

Suppose that MFA is enabled on a social media account, and is configured to use one-time passcodes (OTPs). This means that only one user from that organization will be the recipient of a passcode anytime, regardless of which team member attempts to login to the account.

That’s no problem at all when the OTP recipient is the user trying to login, but it quickly breaks down when many users need access and only one person receives that code. Without org-owned MFA factors that can be shared securely across authorized users, teams are left juggling logins across platforms and timezones.

In sharing their experience with us, Crunchyroll’s Sullivan reminisced (not nostalgically) about, “...calls to the account holder in Japan, Australia, or the UK in the middle of the night” to get the OTP code.

Challenges like this persist because neither the account nor its authentication factors belong to the organization. Until social accounts are converted to org-owned identities with org-owned MFA factors, MFA enforcement will always be inconsistent and operationally painful. 

These operational headaches lead many teams to skip enabling MFA altogether, choosing workflow efficiency over security even when they understand the risks. The solution is to shift both the account and its MFA factors to organizational ownership, which allows MFA to be applied consistently and delivered seamlessly to any authorized user. When organizations can centrally manage the account and automatically route or autofill MFA codes to the people who need access, MFA becomes both usable and enforceable at scale.

Best practice: Implement least-privilege access controls

Least-privilege access is a security best practice that grants users only the minimum permissions needed. It’s so effective at reducing the damage of attacks that it’s required by many regulations, standards, certifications, and contracts.

In addition to restricting what applications, information, data, configuration options, resources, etc. that a user can access, least-privilege access also includes the concepts of just-in-time (JIT) access (only granting access when it’s needed) and revoking access when it’s no longer needed.

Why social media makes this a challenge

Unfortunately, as we touched on above, shared social media credentials work against least-privilege access controls:

• Every person using a shared credential inherits the full permission set of that single social media account, with no way to enforce least privilege or individual accountability. In practice, these shared social media accounts are often over-permissioned to avoid access issues, which further increases risk
• Every user who receives the shared credentials retains access until the password is changed or they are manually removed. Password rotations, while a secure option, are unlikely to be regularly implemented since it would inconvenience all the users of the credentials

How can an organization implement least-privilege access controls for social media accounts?

Carefully managing access privileges is one of the main functions of a centralized IAM system, but because social media platforms generally lack the requisite standards and APIs, IAM systems aren’t able to work their magic.

Again, the unique nature of social media stymies best practice efforts. Even if shared credentials were implemented, the absence of interoperable identity standards prevents IAM solutions from assigning granular permissions or enforcing time bound access.

Best practice: Automate identity management processes

In a recent blog, we detailed a number of reasons why organizations need to say goodbye to manual identity management processes, including:

• The sheer amount of time such processes consume across IT and security teams
• Increased security risks that come with the delays, inconsistencies, and errors that are unavoidable in any human-led manual process
• Unnecessarily high compliance risks and costs
• Loss of employee productivity, as people wait to be granted access

Automation also reduces onboarding bottlenecks by ensuring users have timely access, which directly improves productivity and mitigates creation of shadow IT. It’s no surprise, then, that The 2025 Identity Automation Gap Report showed that 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

What’s stopping them from doing so?

Why social media makes this a challenge

Once more, the culprit is the disconnected nature of so many social media apps.

Despite an overwhelming desire to do so, IT teams are unable to extend automated security workflows, lifecycle management (LCM), SSO, and other crucial processes to cover the full collection of apps that exist within the organization’s sprawling environment, including the social media stack. As long as accounts remain disconnected, lifecycle events like role changes, offboarding, and access reviews must be handled manually, creating unnecessary delays and inconsistent enforcement.

Traditional access management approaches are inapplicable, ineffective, and inefficient

Social media was built for consumers, not enterprises, which is why conventional IAM tools are, at least by themselves, largely inapplicable.

And other traditional approaches can’t close the identity security gap, either:

• Enterprise password managers (EPMs) help store credentials, but they don’t solve the core problems of shared access. MFA enforcement is inconsistent across social platforms, and users can disable it. The need to share accounts inevitably leads to credentials being passed around outside the EPM vault, creating risks. Password rotation cannot be automated in these tools, which means shared credentials often remain static and exposed long after users change roles or leave the organization. Most critically, corporate social accounts remain tied to individual emails and phone numbers, leaving ownership and recovery outside enterprise control. And because password managers don’t deliver user provisioning and deprovisioning, they fail to deliver true identity automation and governance. These tools were designed to help organizations secure corporate credentials but cannot accommodate broader identity concepts such as provisioning, ongoing governance, or tying access to a user's role and lifecycle, which is why organizations quickly hit a wall when trying to enforce policy at scale.
• Native social media platform capabilities: Every platform provides different, limited controls, but they rarely integrate with enterprise IAM systems. Managing access across LinkedIn, TikTok, Instagram, X, and the many other social media platforms separately only creates more fragmentation and risk. Each platform handles access, MFA, and account ownership differently, and marketing teams are neither equipped nor resourced to manage these controls effectively or securely. The lack of standardization across platforms means even well intentioned teams cannot enforce a consistent baseline of controls, which creates audit and compliance challenges for security leaders.
• Custom automation scripts: Building and maintaining scripts to enable some degree of automated management across each and every social media platform an organization uses is a sneakily large commitment. Scripts need to be built and maintained, especially when platforms change APIs or deprecate features. These custom workflows easily break and require constant oversight and vigilance. As a result, scripts often become a fragile web of one off fixes that can’t scale or withstand platform level changes.

Thankfully, there’s another option.

Overcoming social media’s access management hurdles

If only there was some way to bring the social media stack under your organization’s existing IAM and IGA solutions... That way, IT would gain the control, visibility, and automation so important to security and efficiency, and marketing would be able to focus on … well, on marketing.

Fortunately, closing “the app gap” is exactly what Cerby does. By extending enterprise identity to disconnected applications, organizations can unify governance, enforce consistent security controls, and bring social accounts under the same policy driven practices that protect the rest of their environment.
In the final post of our Securing Social Media series, we’ll show you exactly how.

Looking for actionable steps?

Securing Corporate Social Media Accounts: A Playbook for IT Leaders shows how to bring social accounts under enterprise control—without spreadsheets or shared passwords.