How safe is your company's Twitter account?November 12, 2012: 11:40 AM ET
In light of last week's massive password reset, businesses should shore up their security measures. What do the experts suggest?
By Don Sears, contributor
FORTUNE -- Did Twitter force you to change your password last week? While it may have been an inconvenience to social media managers, the micro-blogging giant had some very good reasons to take this action.
Twitter admitted Thursday that it accidentally forced password updates on more accounts than it needed to, but as a security practice and policy, your company should get used to changing and strengthening social media security.
It's becoming standard practice for major web-centric companies to force changes when large swaths of compromised user accounts become available online, said Marcus Carey (@ThreatAgent), a security researcher for Rapid7 and former member of the U.S. Navy Cryptologic Security Group and National Security Agency.
These groups of accounts become available in a variety of ways: one is through hacking organizations such as Anonymous, who posted 28,000 compromised accounts online last week, Carey says. Twitter's security team, along with those of other companies such as Google (GOOG), Yahoo (YHOO) and Facebook (FB) will then take the stolen accounts' information and check it against their own accounts. If your or your company's information is discovered through cross-reference, don't be shocked when you get an email forcing changes.
In light of this practice, there are several things you can do to keep your company's account safe and sound, minimize and mitigate social media risks.
First off, companies have to start with stronger password management itself. Is your marketing department using the same universal login and password for every social media account your company uses? Stop it, advises Carey. Next, social media managers need to use more difficult password combinations. Afraid you won't remember them all? Don't fret. Password technology like LastPass software and others can create passwords for whatever you need.
Additionally, Carey advises to treat social media as a one-way broadcast only. Twitter and Facebook are there to send information, not to communicate two ways.
"Treat things as if they are un-trusted already," Carey said. "Do not do official communications on social media networks: No personal information or phone numbers; No direct messages that could embarrass you or your company. You need to treat it as a weak-link communication. Information should only go one way, and that is out."
One of the most innocuous things we use every day might also compromise social media security: corporate email. Many users attach their corporate email addresses to their company's Twitter, Facebook and LinkedIn (LNKD) accounts. It seems safe enough, but Carey advises social media manager's take a closer look at that policy and set up free email accounts say with Google, Yahoo and others and do everything they can to keep corporate email out of the social-snooping sphere.
"One area you don't see enough policing from security professionals inside companies is the use of corporate email accounts for personal social media accounts like on Facebook and Twitter," said Carey. "When a personal account gets compromised, hackers can use that information to see if they use the same passwords on that person's work email, and you'd be surprised how many people do it. It's a big risk area," he says. "Keeping corporate aliases (as in email@example.com) out of the public realm is something I would suggest. "
So what about companies that already have social media policies in place? Carey believes most internal social media policies are very focused on reputational conduct rather than actual secure operational practices. Better password management along with limiting corporate email exposure should help. In the case of Twitter, so will two-factor authentication, Carey relayed.
What's two-factor authentication? It's adding a verification layer to an account when there are questions of who has accessed it. A number or banks and web companies like Google and Facebook are practicing this now. Chase does this regularly when you log in to your online account. The company asks for further authentication if it does not recognize the system you are logging in from by requesting to send you a password via text message to a mobile device it has already verified as yours. By adding this step, companies are insuring a higher level of security.
"This is where everything is headed," said Carey. "We will probably see this on Twitter soon. Google is doing it via SMS (text), and there are some apps out there that handle this now."
Another area to consider: Insurance. You may think your company's reputation and slander risk are covered by Commercial General Liability agreements already in place, but you could be missing some key areas of coverage, advises John Nicholson a Washington, D.C., attorney who specializes in privacy and data security issues. Sony (SNE) found that out the hard way in 2011 after hackers exposed holes in the PlayStation Network when the company tried to prevent one user from modifying his gaming unit. Its insurance company argued that Sony's CGL did not cover these situations.
"There are a lot of unknown risks in social media and data breaches, but insurance companies are signing more and more specific policies in these areas," Nicholson said. "But it's important to note that for those companies who are behind the curve, it is a big undertaking to even qualify for these policies. It means the insurance companies will subject you to very detailed and deep risk profiling before they can assess policy eligibility."
The costs of such policies will depend upon the risk profile you fall under, Nicholson intimated, so you will want to work closely with your company's top internal security and risk management officers to help design the protection you need.
"Security is about reducing and offsetting risk," said Carey. "So I encourage you to look in to it [insurance] as another layer."