[This post is the second in a series on social media ownership. The first post covered social media content ownership in the context of the competing interests between users of social media platforms and the companies that run them.]
Now that we’ve identified ways to maintain (some) control and get the most out of engaging with the (mainly) giant, faceless corporations running the social media services, let’s make sure our own house is in order.
What’s at stake?
If you lose access to your social media accounts, either because a password is lost or someone nasty takes over your account, it can be really damaging. Time spent building relationships and growing a following may go to waste; recovery attempts may be time-consuming and unsuccessful; and your brand may suffer, because what you say — or appear to say — matters.
Documentation and policies
Social media is people, and people can be messy — they forget things, they like really weak passwords, and they can go to work for competitors.
Know who has access and permission to use the accounts, and make sure every account is well documented.
- Note the services’ names and addresses along with the usernames and passwords for each account.
- Document two-factor authentication methods in use (e.g. cell phone numbers for text messages, or third-party apps like Google Authenticator — these should always be company-controlled, or at least company accessible, if at all possible). These are commonly in use for Facebook, Twitter, Gmail, Dropbox, Evernote, and Apple IDs.
- Document any system-level pass codes necessary to access the accounts (e.g. iPhone lock-screen pass codes).
- Make sure every account uses a strong, unique password. If your account is compromised, it can erode trust, leaving you scrambling to rebuild your credibility from a position of weakness.
Have policies about employees’ use of their own, personal accounts for business purposes: are they authorized to post on behalf of their employer? What is off-limits? How are disputes to be handled?
- What happens when the employer/employee relationship ends? Whose account is it? Whose followers/friends are they really?
- Change passwords when employees leave; this doesn’t just protect you against unauthorized access, it protects them against false accusations should a third-party compromise an account.
- Does the site allow transfer of administrative control to another user (as when a Facebook page is setup)?
- Can the account’s address or username be revised? Or should it be? (When a reporter moves from CBC to CTV, for example, does their Twitter account,
@reporternameCBC, get revised to
@reporternameCTV, or does the account get deactivated/deleted?)
Strong passwords are a software problem; use a software solution
Do you think your passwords are strong? They probably aren’t strong enough.
If they’re only stored in someone’s head, it won’t matter if they’re strong — it’s only a matter of time until you lose the accounts.
- Make certain your email passwords are strong — accessing email is the key to many attacks. Once someone has access to an account, years of correspondence, address books, financial information and password reset links for social media accounts may all be laid bare.
- Buy AgileBits’ 1Password software. Learn to use it. It makes unique, strong passwords easy to generate — and use — on your desktop, tablet and smartphone. It’s worth every penny. It even protects against phishing attacks.
- Some excellent, related resources:
- Read Joe Kissell’s Take Control of Your Passwords Cheat Sheet (PDF) — easy-to-read, 1-page guide on understanding what makes a good password
- Buy Joe Kissell’s Take Control of 1Password for a more in-depth look at an invaluable yet easy-to-use security tool.
- Fill out Mike Vardy’s free 1Password Emergency Kit (or Curt Clifton’s updated version); so the right people can access your passwords if necessary.
What backdoors exist on your accounts?
When your working relationship with a trusted employee ends (for any reason), who has control of the account? Knowing account passwords isn’t always enough:
- What about the password resets for the accounts? Do they send their links to personal email accounts under the control of others, thereby thwarting your ability to retain the accounts?
- Do you require access to an employee’s personal accounts to maintain control of your social media accounts? What if they’re incapacitated?
Plan for these contingencies.
Who has physical access to the recovery email account for each service?
If the email account a social media site sends its password-reset links to is a corporate email account — presumably under your control — ask yourself who has physical access to that email account? What devices allow unrestricted access (e.g. automatic login) to them (say, via Microsoft Outlook or Apple Mail)? Are they webmail-accessible accounts? Don’t assume — know.
If it’s worth investing in, it’s worth protecting
Just because you don’t have to pay for social media accounts doesn’t mean they don’t have real, tangible benefits — and costs. Like any investment, the time you put into social media is worth protecting.
You can avoid a lot of unpleasantness with some forward-thinking and common sense. Look after your passwords and policies while you’re strengthening your relationship with your customers online.