What Businesses Should Know About Social Media Hacking
Social Media is very powerful, and has the ability to hurt a business quickly. It has the ability to help a business as well, and that takes a longer time.
A Social media presence is that people trust recommendations and reviews by others more than they trust advertising. So there is an upside to participating in social media, and a very big downside to not being involved.
At the basic level, reviews on Google Maps or local directories like Yelp are very influential — how you use them. Next, when people are looking for a product or service, they often turn to Google to find out who does a good job. So showing up on a Google search is important as well. That is usually a conversation relating to Search Engine optimization and Internet Marketing, and is similar yet different from social media. The important thing to know about directories is that the reviews on them can be negative and cause a drop in business without people knowing why. So it is important to make sure your information is correct on the directories, and it is probably helpful to have some kind of contest or incentive to have your customers give you a good review.
Twitter is the most visible and influential in many cases because of its immediate nature and huge reachability. With social media accounts like Facebook and LinkedIn, most of the posting are limited to friends, groups that you belong to, or organizations you have Liked.
Twitter is completely different. If you have a twitter account, anyone can see what you say, and can see your entire history of posts, unless you delete them. You can search all of twitter for a word or phrase, and find people that talk about it. I use twitter to follow my customers, vendors, and competitors. Much of what people put out on twitter is inane chatter, but some of it is very interesting. It is like having your own private news clipping service of people providing you relevant and important information.
Then there is the element of twitter called a hashtag. You can take any word or combination of words, put a pound sign (#) in front of it, and it becomes a subject. Anyone on twitter who wants to post about that subject just has to include the appropriate hashtag, and other people set up searches so they can see what others say about it.
During the Burger King hack, people could see what was being said by either subscribing to the Burger King account, which had been changed to @McDonalds, or searching the hashtag the hacking group was using, which was #OpMadCow. Yes it got a lot of attention, but it was an obvious hack.
What can be worse is a company trying to be edgy on twitter and instead offending people. That’s happened a few times. Obviously executives at companies cringe in hearing about such stories. It can make them want to stay away from twitter and not give their social media marketing person the ability to make tweets, or just make boring ones. Or not respond quickly.
Any of those are a mistake. People don’t want to subscribe to boring and impersonal twitter accounts. Twitter is all about surfing on current events in a positive way, getting information out to potential customers through a trusted channel, and responding to potential negative publicity quickly and effectively.
A single disgruntled customer can make a big presence on twitter about customer service issues by companies. The longer it takes to respond the worse it can be.
But any PR can be made into positive. Burger King now has a lot more twitter followers. It is kind of an amusing story because it is something that people can see happening to others. And no harm was caused. So, even though it appears to have turned out OK for Burger King, what should companies do to prevent being hacked like this in the future?
First, a twitter account gets hacked by someone either getting the password or resetting the password of the account. So somewhere the hackers must have gotten a hold of the password. This is typically done in a few different ways.
The first and most common is the Social Hack. This is where someone finds out who knows the password then calls them, impersonates someone, and demands the password. The hacker can pose as a member of IT, or an executive, or anyone the person who knows the password would give it up to.
The first rule is don’t ever give out the password when asked by someone you don’t actually know. IT should not ask for the password, and if they do, tell them you need to see them in person, or they need to reset the password themselves, and tell you the new password.
The next most common if getting hacked by a botnet. This is where your computer is infected by going to a website that puts a hacking program on your computer. Your computer becomes part of a large network of infected computers, or a botnet, and the controller of the botnet can typically find out what you are doing on your computer. The botnet hacking program will typically scan for interesting information like usernames, passwords, personal information, and credit card numbers, and send those on.
The best way to protect against a botnet hack is to have a multilayered defense. A basic antivirus program on the computer. More important is to have a next generation firewall that scans all internet traffic for specific patterns like botnet traffic, and also prevents people from going to infected websites with a good web filter. Most people already have spam and email virus filters.
Another way to hack people is a very targeted email. This could be an email that looks like it comes from a big company, and it has a clickable link on it for you to go enter your information, including user name and password. Beware! Some of the ones that work well appear to people’s desire to get something for nothing, so they click the link and enter the information.
It is always safer to go to the website yourself on the browser, using a bookmark or a web search, than to click on an email link.
There are other things that can be done regarding password policy — making the password somewhat complicated, or a longer phrase with numbers in it, changing it a couple times a year, and not using just one master life password on every account. In fact, I like to use a password management program, so I only have to type one master password, and all the others get remembered. Unless someone has access to that specific application and master password, they can’t hack all my accounts.
Then to be even more secure, there are things like two and three factor authentication. Hospitals use that a lot. One factor usually means something you know, like your username and password. Two factor usually means something you know, and something you have, like a username and a device that provides a different password whenever you login. There is also three factor authentication, like something you know, have, and are — adding a retinal scan to the mix would be part of three factor.
If there are connected systems that can cause lots of damage or monetary loss if hacked, they should be protected better than the average business. Countries already use that as part of their low level conflicts — just like someone did to the Iranians with the Stuxtnet virus that disrupted their uranium processing.
The hacking Burger King experienced was not harmful in the big scheme of things. They got publicity, and no damage was done.
For businesses, they need to ask themselves what would happen if they lost all their records. All the payroll, accounting, customer records, inventory records. Then they need to take positive action to make sure not everything gets lost. This includes a combination of physical security, data security, and business continuity. The information needs to be backed up to a safe place, and there has to be a plan for recovering it, if it is lost. There are many good and experienced IT consultants and vendors who can help with that, so I recommend you ask your current consultant about it, and engage one if you don’t have one who can meet your needs.
Author: Rolf Versluis
Published at Priority Queue