Whether they’re used to provide information, grow awareness, build relationships, drive engagement, power campaigns, provide customer support, or fulfill another need, social media platforms represent a brand or organization in the digital world.
However, along with an unmatched ability to reach and interact with audiences, social media is a security nightmare for the IT administrators tasked with safeguarding the organization.
In a four-part Securing Social Media series, we’ll examine:
- Social media’s security issues and the associated business risks
- Why social media resists efforts to leverage existing identity infrastructure and apply best practices
- How to gain the control, visibility, and automation needed to empower your organization to safely use social media
But before we get to those topics, we begin our series by looking at the state of social media security today, examining:
- Why social media is so important for today’s organizations
- Why threat actors target business social media accounts
- Why business social media accounts are insecure
Social media is a critical business channel—and it’s under attack
Social media platforms, sites, and services enable the creation, sharing, curation, and aggregation of content—with networking, discussions, and user-generated content often playing significant roles. Some services cater to specific interests and audiences, while others have much broader user bases.
Importantly, “social media” includes not only platforms such as X, TikTok, and Instagram, but also messaging (e.g., Snapchat), networking (e.g., LinkedIn), and forums (e.g., Reddit).
The varied features and demographics are why, from the smallest businesses and non-profits to the largest enterprises and governments, social media platforms collectively form a critical communications channel. In many cases, social media accounts serve as the prime point of interaction with customers and constituents—even more important than a website.
Unfortunately, many of the same characteristics that make social media so essential to today’s organizations also make social media accounts prime targets for malicious actors.
Attackers regard social media accounts as high-value targets
Why have cyber criminals set their sights on social media accounts?
Here are five reasons (we’ll expand on some of these in the second part of this series) why threat actors consider social media channels to be valuable:
- Social media has tremendous reach, so a successful account takeover (ATO) can enable an attacker to present a message to an audience of millions.
- Social media is highly visible, providing an attacker with considerable leverage to embarrass or otherwise harm an organization.
- Social media can be used to gather valuable information about an organization and its customers.
- Social media accounts may include funds (e.g., for advertising) that can be redirected to enrich attackers.
- Social media accounts can be leveraged as part of longer attack chains, as threat actors attempt to fully breach an organization.
Attacks against social media accounts are common and costly
Social media security usually isn’t at the top of an IT department’s list of priorities, but it’s time to reconsider the threat.
According to research by Jobera:
- More than half of companies (56%) have experienced social media hacking at least once.
- The average social media hacking incident can cost a company $200,000 in damages (and it’s worth bearing in mind that the costs could potentially soar due to legal fallout, compliance consequences, and larger breaches).
Unfortunately, not only are social media accounts valuable to attackers, they’re also very easy targets.
Social media accounts are insecure
Social media platforms were initially built for consumers, not businesses—and certainly not enterprises.
These humble beginnings mean that attacks don’t need a Mission Impossible-level of sophistication to succeed—basic approaches including phishing and credential stuffing are often enough to compromise an account.
Social media accounts exist beyond the control of IAM systems
In an ideal world, all the apps used by an organization are secured through a modern Identity and Access Management (IAM) platform, perhaps coupled with an Identity Governance and Administration (IGA) solution.
These systems help to secure application access, simplify administration, and support compliance by (among other things):
- Centralizing authentication
- Implementing strict access controls
- Providing granular visibility into which users and non-human identities (NHIs) are accessing which apps (and other resources)
To perform these functions, IAM and IGA platforms rely upon APIs and identity and security standards such as SAML, SCIM, and OIDC.
Unfortunately, most social media apps lack these hooks.
This means that, like other “disconnected” apps (also sometimes called non-standard, non-federated, or unmanaged), social media apps exist outside the control of identity providers (IdPs) like Okta or Microsoft Entra ID—ultimately forcing organizations to resort to manual processes and fragmented workflows, with consequences including orphaned accounts, excessive privileges, and poor visibility.
Social media accounts have unique usage characteristics
Compounding the access management challenge, many social media platforms require users to sign up with personal profiles to create and manage business accounts. This design choice means corporate social media access is inherently tied to individual employees' personal identities, creating ownership confusion and recovery nightmares when employees leave or change roles.
Not only that, but organizations often have many users who need to access many different social media platforms.
For example, while sharing their experience working with Cerby, Siobhan Sullivan (Director of Global Community Marketing for Crunchyroll) noted that “We have over 300 social media accounts.”
Plus, not all users of an organization’s social media accounts are employees or direct team members. External collaborators including agencies and contractors are common extensions of the internal marketing team, and also need access to these same communications channels. These partners often retain access after projects end, either through delayed deprovisioning or because recovery credentials are tied to their personal information.
Inevitably, “ghost accounts” accumulate as organizations lose track of dormant or unofficial accounts created by employees, contractors, or agencies.
Marketing teams typically manage access—amplifying risk and harming efficiency
Because social media platforms are viewed as marketing tools, but are also disconnected from enterprise IAM systems, IT often assigns the responsibility for managing access (e.g., provisioning, deprovisioning, managing permissions, auditing usage, etc.) to marketing teams.
Lacking the automation provided by IAM solutions, this work is very manual, tedious, and error prone. This not only creates inefficiency and impedes scaling efforts, but—quite predictably—the combination of manual processes and social media’s unique usage characteristics frequently leads to poor security habits, including:
- Sharing credentials
- Weak, formulaic, reused, and long-lived passwords
- Not using multi-factor authentication (MFA) or passkeys
The status quo isn’t working for anyone
Marketing wants to do their jobs, by:
- Using the tools of their trade, conveniently and without putting the organization at risk
- Spending their time on marketing activities, rather than executing identity and access management workflows
At the same time, IT wants visibility, control, and automation that will allow them to:
- Secure the organization’s applications and resources
- Support compliance and enable incident investigations
- Increase efficiency and to prevent the errors that inevitably arise in manual processes
Right now, neither group is getting what they want—and what the organization needs.
Looking for actionable steps?
Securing Corporate Social Media Accounts: A Playbook for IT Leaders shows how to bring social accounts under enterprise control—without spreadsheets or shared passwords.
