On January 12, a group claiming to be connected to ISIS hacked the Twitter and YouTube accounts of U.S. Central Command, also known as CENTCOM. If the military can be hacked, is your agency’s social media vulnerable to a hacker attack? How can your agency protect itself on social media?
The hack of CENTCOM’s social media seems to have been intended as little more than an embarrassing nuisance, rather than any sort of nefarious terrorism plot. CENTCOM’s official statement called the incident “cybervandalism” and departing Defense Secretary Chuck Hagel dismissed it as “not a big deal.”
I may well be courting hubris to disagree with military leadership, but even if no state secrets were revealed in the hack (and CENTCOM says none were), your agency’s cybersecurity is something to take seriously. The hijacking of these U.S. military social media accounts is a reminder to all government agencies and employees to protect their social media accounts from hackers.
Here are steps you can take to make your agency’s social media accounts more secure. Many of these tips can also help you lock down your personal social media too.
Tips for Preventing Social Media Hacking
Arm Your Colleagues With Information. Your social media security is only as strong as your weakest link—that is, your least vigilant colleague. Once you put new security measures in place, make sure that everyone knows how the agency is protecting its accounts from hackers. Explain their role in keeping accounts secure and educate them about anything they need to learn, like how to recognize phishing emails and spot suspicious email attachments.
Review permissions. It’s easy to forget how many third-party apps and sites have access to your private information through your social media accounts. If the apps are untrustworthy or outdated, they can even open up security holes in your social media. MyPermissions Cleaner scans your app permissions and makes it easy to delete the ones you no longer want. Once you’ve spring cleaned your app permissions, be choosy about which new ones you install.
Use Strong, Unique Passwords. The worst password is an obvious one. Since most of us aren’t very creative when choosing our passwords, “brute-force” hacking programs try the most common passwords first. Avoid the obvious and easy-to-hack, and instead choose a really strong password. Alas, it’s not enough to devise one remarkably clever, unhackable password—you need a completely different password for each and every site you use. Sound impossible to manage? The next tip will help you out.
Get a Password Manager. That sticky note with your passwords scribbled on it doesn’t cut it anymore (and let’s be honest, it never did). A good password manager does several things: it stores your passwords, it creates strong passwords for you at the click of a button, and can even give you access to your passwords across multiple devices like your computer and smartphone. A few options include LastPass, Dashlane, 1Password, and Kaspersky Password Manager, some of which offer enterprise solutions that could be used at the agency level. Of course, check with your agency’s IT staff to make sure the password manager you want to use is approved for work use.
Turn on Two-Factor Authentication. Strong passwords can still be hacked or mis-managed. Many websites and apps offer what’s called “two-factor authentication” or a similar type of login verification. Two-factor authorization requires two things when you login: your password and something else that proves that you’re you, which could be a confirmation code sent to your cell phone or the answer to a personal question. Two-factor authorization is one of the best ways to protect your accounts. Learn how to set up login verification on Twitter.
Stop Emailing Passwords. A password is supposed to be secret, and if we’ve learned anything from the Sony hacks, it’s that email is far from secure. It doesn’t matter how strong your agency’s passwords are if you and your colleagues share them via email or instant messenger. Sending a password to someone by email or instant message can put the security of your accounts at risk. Instead, hop on the phone or securely share the password using your password manager (a feature offered by LastPass and others).
And, of course only share passwords with people you trust. Or, if you’re more the Fox Mulder type, trust no one.
Lauren Girardin is a marketing and communications consultant, writer, and trainer. Find her on Twitter at @girardinl.