Previously in our four-part series on securing social media accounts, we’ve shown that social media channels are critical to today’s businesses, but are also under attack and we’ve explored why social media accounts are so insecure, and the associated risks.
In this installment, we examine why organizations struggle to apply proven security best practices to their social media environments, even when they have sophisticated identity and access management systems protecting the rest of their infrastructure. Essentially, it comes down to:
Recall from our earlier posts that:
As we explain below, these three factors, sometimes in isolation and sometimes in combination, undermine efforts to secure social media access.
There are reasons why the global market for Identity and Access Management solutions is expected to reach $43.1 billion by 2029. Leveraging broad integration throughout the IT environment, IAM provides essential functions including authentication, authorization, and identity management.
By centralizing account control, provisioning, and deprovisioning, pulling everything under the IT umbrella, the organization achieves the visibility, control, and automation needed to make resources available to users in a secure and timely manner.
In a typical IAM implementation:
IAM and IGA platforms rely upon APIs and common identity and security standards such as SAML, SCIM, and OIDC and support for these APIs and standards among social media apps is rare and inconsistent. Social media apps are built to maximize user engagement by making it easy for individuals to create and use accounts, not to enforce enterprise-grade security controls.
Consequently, social media apps are “disconnected” (also sometimes called non-standard, non-federated, or unmanaged), meaning that they exist outside the control of identity providers (IdPs) like Okta or Microsoft Entra ID.
So while centralizing account control is crucial for securing and scaling the organization, applying this best practice to social media accounts is easier said than done. These limitations prevent IAM and IGA platforms from extending the consistent governance, oversight, and automation they provide across the rest of the enterprise.
Sharing credentials is sometimes unavoidable, especially for apps or accounts that do not support individual user identities. In these situations, it’s essential to securely share and track credentials and their usage in order to reduce risk and maintain oversight. Without proper controls for shared access:
The problem is complicated for a number of reasons. Some organizations may have only a single account with each social media platform, with likely many users who need access to each account. Other organizations may have multiple business units or geographical locations with separate accounts for each social media platform, with multiple users for each. As organizations and their reach grows, so do the potential gaps in access security.
Plus, not all users of an organization’s social media accounts are employees or direct team members. External collaborators including agencies and contractors are common extensions of the internal marketing team, and also need access to these same communications channels.
Exacerbating the risks, shared credentials are often distributed through or stored within email, spreadsheets, or collaboration apps. For example, while sharing their experience working with Cerby, Siobhan Sullivan (Director of Global Community Marketing for Crunchyroll) said that, “We have over 300 social media accounts… I hate to admit it, but sometimes passwords would get shared in spreadsheets, emails, or over Slack.”
These informal sharing methods also mean that access is rarely reviewed or revoked, which increases exposure and makes compliance audits far more difficult. So long as organizations are unable to individualize access to social media accounts, shared credentials will remain common despite the obvious and significant risks they introduce.
Unlike other systems, social media platforms still require accounts to be registered to an email address or phone number, which forces teams to rely on employee owned accounts. This creates gaps in visibility, recovery, and governance that become more severe as teams grow, responsibilities shift, and collaboration across regions and business units complicates access management.
Organization-owned social media accounts ensure that access, recovery methods, and authentication factors belong to the business rather than any single person. This prevents disruptions when employees change roles or leave the organization, reduces the risk of orphaned accounts, and gives security and IT teams the authority they need to enforce policy.
In an organization-owned model:
This foundation allows organizations to apply identity and security best practices to social platforms with the same rigor and reliability they expect across the rest of their enterprise systems.
Social platforms are designed to encourage participation, so they make signups as simple as possible. Anyone can create an account with only an email address and a password, and platforms don’t prioritize ties to corporate identity systems. This convenience leads employees, agencies, and contractors to create accounts on their own, using individually owned credentials that companies cannot centrally manage.
The risks surface quickly. If an account owner leaves or changes roles, the business may lose access to the handle or experience delays that impede posting or engagement. If these unmanaged accounts are compromised, both the brand and its social media ad spend are exposed. The damage is not only financial. Losing a handle or having it misused can harm brand reputation and erase years of investment in audience growth. Individually owned accounts also make handoffs difficult, whether between employees or with agencies, and they create significant friction for collaboration. Multi-factor authentication compounds the issue because authentication prompts go to the individual owner, not the team. The result is a system that prioritizes platform growth over enterprise control, leaving brands exposed operationally and financially.
When implemented correctly (i.e., without phishable fallback options), strong multi-factor authentication (MFA) based on the FIDO2 set of specifications is very effective at preventing account takeovers (ATOs). And yet, 89% of enterprises fail to enforce MFA (or the similarly effective passkeys) for social media accounts.
Why is that?
Most social accounts and their MFA factors are tied to individual employees rather than the organization, which makes consistent enforcement impossible. Enforcing MFA consistently on social accounts requires more than turning it on, organizations need to find a way to make it easier to share MFA access in a secure, frictionless way.
As noted above, business social media accounts often rely on shared credentials, and the accounts are usually tied to personal emails or phone numbers. As a result, both the organization’s social media account and MFA factors are owned by an individual rather than the organization itself, creating structural blockers to enforcing MFA.
Suppose that MFA is enabled on a social media account, and is configured to use one-time passcodes (OTPs). This means that only one user from that organization will be the recipient of a passcode anytime, regardless of which team member attempts to login to the account.
That’s no problem at all when the OTP recipient is the user trying to login, but it quickly breaks down when many users need access and only one person receives that code. Without org-owned MFA factors that can be shared securely across authorized users, teams are left juggling logins across platforms and timezones.
In sharing their experience with us, Crunchyroll’s Sullivan reminisced (not nostalgically) about, “...calls to the account holder in Japan, Australia, or the UK in the middle of the night” to get the OTP code.
Challenges like this persist because neither the account nor its authentication factors belong to the organization. Until social accounts are converted to org-owned identities with org-owned MFA factors, MFA enforcement will always be inconsistent and operationally painful.
These operational headaches lead many teams to skip enabling MFA altogether, choosing workflow efficiency over security even when they understand the risks. The solution is to shift both the account and its MFA factors to organizational ownership, which allows MFA to be applied consistently and delivered seamlessly to any authorized user. When organizations can centrally manage the account and automatically route or autofill MFA codes to the people who need access, MFA becomes both usable and enforceable at scale.
Least-privilege access is a security best practice that grants users only the minimum permissions needed. It’s so effective at reducing the damage of attacks that it’s required by many regulations, standards, certifications, and contracts.
In addition to restricting what applications, information, data, configuration options, resources, etc. that a user can access, least-privilege access also includes the concepts of just-in-time (JIT) access (only granting access when it’s needed) and revoking access when it’s no longer needed.
Unfortunately, as we touched on above, shared social media credentials work against least-privilege access controls:
How can an organization implement least-privilege access controls for social media accounts?
Carefully managing access privileges is one of the main functions of a centralized IAM system, but because social media platforms generally lack the requisite standards and APIs, IAM systems aren’t able to work their magic.
Again, the unique nature of social media stymies best practice efforts. Even if shared credentials were implemented, the absence of interoperable identity standards prevents IAM solutions from assigning granular permissions or enforcing time bound access.
In a recent blog, we detailed a number of reasons why organizations need to say goodbye to manual identity management processes, including:
Automation also reduces onboarding bottlenecks by ensuring users have timely access, which directly improves productivity and mitigates creation of shadow IT. It’s no surprise, then, that The 2025 Identity Automation Gap Report showed that 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.
What’s stopping them from doing so?
Once more, the culprit is the disconnected nature of so many social media apps.
Despite an overwhelming desire to do so, IT teams are unable to extend automated security workflows, lifecycle management (LCM), SSO, and other crucial processes to cover the full collection of apps that exist within the organization’s sprawling environment, including the social media stack. As long as accounts remain disconnected, lifecycle events like role changes, offboarding, and access reviews must be handled manually, creating unnecessary delays and inconsistent enforcement.
Social media was built for consumers, not enterprises, which is why conventional IAM tools are, at least by themselves, largely inapplicable.
And other traditional approaches can’t close the identity security gap, either:
Thankfully, there’s another option.
If only there was some way to bring the social media stack under your organization’s existing IAM and IGA solutions... That way, IT would gain the control, visibility, and automation so important to security and efficiency, and marketing would be able to focus on … well, on marketing.
Fortunately, closing “the app gap” is exactly what Cerby does. By extending enterprise identity to disconnected applications, organizations can unify governance, enforce consistent security controls, and bring social accounts under the same policy driven practices that protect the rest of their environment.
In the final post of our Securing Social Media series, we’ll show you exactly how.
Securing Corporate Social Media Accounts: A Playbook for IT Leaders shows how to bring social accounts under enterprise control—without spreadsheets or shared passwords.