Recently a colleague of mine who’s a social media marketer posted a question on Facebook. She said she was sitting down to update her company’s social media guidelines and asked her network for suggestions.
There then helpfully followed a number of good suggestions to which I added my own: “Don’t forget to include security/privacy guidelines,” I wrote.
She wrote me back thanking me and asking me what exactly that would mean.
The exchange we had got me thinking about the importance of guidelines. We in security and privacy regularly speak to the importance of guidelines, policies, and procedures. We talk about how they’re a critical foundation for any good security practice because they set the principles. But the most common question non-experts ask us about guidelines, policies, and procedures is “What should they contain? Can you give me an example”?
And this is where we usually provide the classic engineer’s answer that is technically accurate and honest but completely not helpful: “No, I can’t tell you what your business’ policies should be: they have to be developed by you to reflect your company’s goals and requirements”.
These exchanges generally leave the non-expert frustrated, lost, and directionless. They’ve been told to build something but when they ask for help, they’re told only they can build it.
This is one reason why some organizations never actually develop guidelines: the project gets stuck right in this place between the business side and the technical side.
But many businesses don’t actually understand the importance of having these guidelines in place or the risks they are running into when not having proper security measures in place.
According to Hari Ravichandran, Americans lost $6.9 billion to cybercrime in 2021. When cybercrime impacts a business, that’s even worse because it may result in data loss and a reputation crisis. Cybercrime is a major threat to your brand name and reputation.
It IS the most accurate answer to say that an organization should develop its own guidelines, policies, and procedures. This is because every organization is unique and that has to be reflected accurately in these foundational documents.
But I am also a pragmatist and believe that a basic, cookie-cutter set of guidelines is better than nothing at all.
With that in mind, this month I am providing a short list of security and privacy guidelines that you should feel free to adopt and adapt as part of your social media guidelines. This isn’t a comprehensive or detailed listing: it’s only meant to cover some critical basics. Ideally, this should be something you take and start working with to make truly yours (like we recommend). It’s really intended to give you something to help jump-start your own process for developing guidelines.
- All devices (phones, laptops, computers, etc.) that access social media channels should be fully updated for:
- Operating systems (Windows, Mac OS, Android, iOS).
- Applications (Twitter, Facebook, Hootsuite, Microsoft Office, Adobe Acrobat).
- Helper programs (Java, Adobe Flash).
- Security software (latest version and signatures)
- Any content management and content marketing systems you are using should always be upgraded to the latest versions (which usually come with an updated security system)
- All these devices must be running a full security suite that protects against malware (viruses), spam, phishing, and other threats. (Often it’s best to pick a package for a company and mandate it be used. Also, free security packages only offer very basic layers of protection and shouldn’t be considered adequate). Install some anti-spam plugins and apps.
- All these devices must be password protected to prevent any unauthorized access.
- A full scan by the security software must be done at least once a week.
- A weekly backup of any critical computers or devices should be made and stored in a secured location to prevent theft.
- Computers and devices used to access social media channels should not be used for personal accounts or use. Only approved software and apps should be installed. (Mandating a specific package for managing social media accounts is a good idea here).
- To request a reset for social media-linked email accounts, they should either be corporate email addresses managed by the IT team or if they’re webmail accounts (like Gmail), they must have two-factor authentication enabled.
- All social media accounts should use two-factor authentication when possible.
- Utilize a password manager to create unique, intricate passwords for each social media account (and webmail if needed). Avoid writing passwords down; instead, exclusively handle them through the password manager.
- Official social media channels should never be accessed using “kiosks” or other untrusted, shared devices. A VPN should be used whenever possible. Social media channels should never be used over an unencrypted Wifi network without a VPN.
- All computers, devices, corporate social media accounts, and corporate email are considered the property of the company and must be surrendered or access provided immediately on demand.
These guidelines cover essentials that can help protect your social media channels from various threats as well as provide clarity and direction for employees.
If you’ve not worked with guidelines before, one thing you may be surprised to find is that many people welcome the clarity that prescriptive guidelines like this give. Not everyone wants to figure out what social media package to use, or what security software to use. And in IT we’ve known for a long time that it’s cheaper to support a standard configuration. So while there’s a lot of buzz about “BYOD” (bring your device to work) don’t feel that means you can’t establish some standards. You may find people welcome that.
One critical thing when talking about guidelines: if they’re going to work, they have to apply to EVERYBODY. Nothing kills the effectiveness of guidelines more than a CEO or execs who think they don’t apply to them. If you’re the head of an organization or division and you want people to follow guidelines, set the example and lead from the front.
These guidelines are a baseline and won’t protect against everything that could go wrong. But they do represent a good starting point that gives protection against common threats. Most of all, I think you’ll find that they make people think about things they hadn’t thought about before. And that can help improve your overall security posture.
In time, as you and your folks get used to following guidelines like these, you may feel comfortable taking these and making them more your own and maybe even introducing even better practices. If nothing else, this is a great first step on the path of thinking about security and privacy like a professional.