Whether they’re used to provide information, grow awareness, build relationships, drive engagement, power campaigns, provide customer support, or fulfill another need, social media platforms represent a brand or organization in the digital world.
However, along with an unmatched ability to reach and interact with audiences, social media is a security nightmare for the IT administrators tasked with safeguarding the organization.
In a four-part Securing Social Media series, we’ll examine:
But before we get to those topics, we begin our series by looking at the state of social media security today, examining:
Social media platforms, sites, and services enable the creation, sharing, curation, and aggregation of content—with networking, discussions, and user-generated content often playing significant roles. Some services cater to specific interests and audiences, while others have much broader user bases.
Importantly, “social media” includes not only platforms such as X, TikTok, and Instagram, but also messaging (e.g., Snapchat), networking (e.g., LinkedIn), and forums (e.g., Reddit).
The varied features and demographics are why, from the smallest businesses and non-profits to the largest enterprises and governments, social media platforms collectively form a critical communications channel. In many cases, social media accounts serve as the prime point of interaction with customers and constituents—even more important than a website.
Unfortunately, many of the same characteristics that make social media so essential to today’s organizations also make social media accounts prime targets for malicious actors.
Why have cyber criminals set their sights on social media accounts?
Here are five reasons (we’ll expand on some of these in the second part of this series) why threat actors consider social media channels to be valuable:
Social media security usually isn’t at the top of an IT department’s list of priorities, but it’s time to reconsider the threat.
According to research by Jobera:
Unfortunately, not only are social media accounts valuable to attackers, they’re also very easy targets.
Social media platforms were initially built for consumers, not businesses—and certainly not enterprises.
These humble beginnings mean that attacks don’t need a Mission Impossible-level of sophistication to succeed—basic approaches including phishing and credential stuffing are often enough to compromise an account.
In an ideal world, all the apps used by an organization are secured through a modern Identity and Access Management (IAM) platform, perhaps coupled with an Identity Governance and Administration (IGA) solution.
These systems help to secure application access, simplify administration, and support compliance by (among other things):
To perform these functions, IAM and IGA platforms rely upon APIs and identity and security standards such as SAML, SCIM, and OIDC.
Unfortunately, most social media apps lack these hooks.
This means that, like other “disconnected” apps (also sometimes called non-standard, non-federated, or unmanaged), social media apps exist outside the control of identity providers (IdPs) like Okta or Microsoft Entra ID—ultimately forcing organizations to resort to manual processes and fragmented workflows, with consequences including orphaned accounts, excessive privileges, and poor visibility.
Compounding the access management challenge, many social media platforms require users to sign up with personal profiles to create and manage business accounts. This design choice means corporate social media access is inherently tied to individual employees' personal identities, creating ownership confusion and recovery nightmares when employees leave or change roles.
Not only that, but organizations often have many users who need to access many different social media platforms.
For example, while sharing their experience working with Cerby, Siobhan Sullivan (Director of Global Community Marketing for Crunchyroll) noted that “We have over 300 social media accounts.”
Plus, not all users of an organization’s social media accounts are employees or direct team members. External collaborators including agencies and contractors are common extensions of the internal marketing team, and also need access to these same communications channels. These partners often retain access after projects end, either through delayed deprovisioning or because recovery credentials are tied to their personal information.
Inevitably, “ghost accounts” accumulate as organizations lose track of dormant or unofficial accounts created by employees, contractors, or agencies.
Because social media platforms are viewed as marketing tools, but are also disconnected from enterprise IAM systems, IT often assigns the responsibility for managing access (e.g., provisioning, deprovisioning, managing permissions, auditing usage, etc.) to marketing teams.
Lacking the automation provided by IAM solutions, this work is very manual, tedious, and error prone. This not only creates inefficiency and impedes scaling efforts, but—quite predictably—the combination of manual processes and social media’s unique usage characteristics frequently leads to poor security habits, including:
Marketing wants to do their jobs, by:
At the same time, IT wants visibility, control, and automation that will allow them to:
Right now, neither group is getting what they want—and what the organization needs.
Securing Corporate Social Media Accounts: A Playbook for IT Leaders shows how to bring social accounts under enterprise control—without spreadsheets or shared passwords.