How to protect your brand on social media

Most brands would love to go viral. But as enticing as the idea of virality is, no one wants it for the wrong reasons.

Managing social media for a brand always comes with a chance of risk, but there are ways to mitigate it. By being proactive with your team, you gain more control of your brand going viral (in the bad way). Here, we highlight what to look out for so you can protect your brand on social media. We include plans brands can implement — from clear-cut social governance to a robust crisis response plan.

Surprisingly few of us know what to do as soon as a social media crisis arrives at our doorstep. This is where effective governance comes in.

Social media is one of the few mediums where conversations between brands and consumers happen publicly. With so many active daily users on different channels, social media marketing not only becomes risky, but daunting. As we all have witnessed, negative sentiment on social media quickly catches like wildfire.

Acknowledging the inherent risk with social media doesn’t mean you shouldn’t engage in these mediums — they’ve shown to be highly beneficial to many brands as a way of gaining trust from consumers and customers alike. But you can work to understand what social media audiences want from brands and implement preventative measures against risk in a rapidly changing medium.

Think of it this way: A food distributor will put measures in place to keep produce clean and bacteria-free rather than issuing a recall after people become ill. Social media risk management works similarly.

On social media, brands have the potential to offer audiences real value that they can’t find elsewhere. It is a key place to go when you want to get someone’s full attention. The average person spent about two and a half hours per day on social media in 2022.

Any way you slice it, brands have a big opportunity to connect with audiences on social media.

If connecting with consumers and building brand loyalty is the opportunity social media affords, then protection becomes your responsibility. For so long, brands knew being on social media was important, but learning how to manage the risks took a backseat to building a presence and following. By 2019, social media marketers realized it was time to create proper safeguards to maintain broad social media governance.

Social media tends to come with two types of risk: External and internal. We will dig into both of these below, but remember that all risks are not created equal, and your brand needs different tools to address each risk to your social program.

There often isn’t outward glory that comes with an effective social media risk program. Instead of going viral with stellar content, the goal of risk management is not to make the news. Guarding against negative social media attention doesn’t mean you can’t take part in the virality aspect of it. It’s all about setting the proper foundation, so your brand is well-protected when it comes time to do the fun stuff.

External risks tend to make the news: hackers, fake accounts, negative PR coverage, etc. Some of these are inevitable, if not difficult, to guard against, but we’ll provide detail later on the steps you can take with your team to create a social media program that protects from outside threats.

Social engineering

Social engineering is when a malicious third-party uses deceptive tactics — like creating content that appears to come from a trusted source — to trick people into doing something dangerous, like revealing personal information or downloading software, writes Google.

Deceptive download buttons or ads claiming your software is out of date are a couple of common ways that third parties access your credentials (usernames, passwords, answers to security questions, and personal details). Targeting phone support is another way outside actors can gain access to your social media accounts — people committing these acts often call with threats of account deactivation if a password isn’t delivered immediately.

Phishing

Phishing is a type of social engineering that usually happens through email, text messages, social media messages, ads, or on websites that look like trusted sites. In this case, the malicious party masquerades as a trusted source to get someone to offer up personal details that are then used to commit fraud writes Google.

Brands are particularly susceptible to phishing outside parties as it’s relatively easy to figure out who works at which brands. Typically, team members are the ones who get targeted, so training is your brand’s first and best defense.

Third-party apps for social

A third-party app is any app not created by your mobile device's manufacturer (Apple and Google, most commonly). Teams have to watch out for apps sold through unofficial app stores or those designed to connect with trusted apps (like Facebook) — think quiz apps and games within social networks. These apps gain access to user credentials and data about a user's connections and habits.

The risk for brands is that a team member could unwittingly use the brand’s official credentials to authenticate to sensitive information without intending to. Furthermore, when you download third-party apps, social networks might lock you out of your brand account from suspicious activity, creating many other serious issues.

As marketers, we’re used to hearing about external risks, but internal risks are just as serious. An internal risk could be a team member accidentally tweeting from the brand account rather than their personal account or falling prey to a phishing scheme (more on this below). Or, the unfortunate incident of a team member acting out in malice.

On the plus side, as a brand, you have more control over internal threats and can shut them down faster than external threats. That is if you have a strong governance program in place.

Inadequate governance with credentialing

Because social media was created for individual users, the credentialing systems on major social networks (Facebook, Instagram, Twitter, Snapchat, etc.) were designed with the individual in mind and not businesses. This becomes a problem for brands, where there are often multiple company members requiring native access to the brand account to post content, respond to comments, run ads, and manage other social media account logistics.

As a result, brands often end up creating ad-hoc systems for social media credentialing, like spreadsheets with passwords, having a single manager holding the passwords, or trying to force-fit a traditional password manager. But strategies like these aren’t secure, create bottlenecks, and don’t provide teams the level of control they need for a complex use case.

Account access is the keyholder if credentials are the keys to your brand’s social media accounts.

If your brand fails to build and maintain an effective risk management plan, you risk losing reputation, customers, and brand equity. 

Managing external risks involves a secure social media management solution and an always-on listening solution to alert your brand of external threats. Meanwhile, managing internal risks involves governance over employees with native access to your brand’s social media accounts. These tools help you create approval paths and workflows to ensure only the right content goes out on behalf of your brand.

For brand social media policies, less is more. The fewer people with the keys to your social media channels (keeping in mind your team size, of course), the safer those channels will be from internal and external risks. The goal isn’t just to know who has the keys; it’s to ensure the right people have only the permissions they need for only the exact amount of time they need it.

TEAM

Brands should strive to include the fewest number of people possible to effectively complete tasks like posting content and responding to audience members. When you keep access to a minimum, it’s easier to govern the brand’s social media accounts.

ACCESS

Enable team members the access they need and nothing more. For instance, if your social media manager needs to post to Instagram Stories during a big event, they should have access to complete those duties. However, once the event is over, that manager should no longer be able to access Instagram Stories (that is if your brand doesn’t post to Stories regularly). In short, only give team members the access they need when they need it.

MOBILE

Limit mobile access to social channels to absolute necessity. Grant a team member mobile access because they’re at a live event and can’t bring a laptop, not simply because they prefer it. The truth is, it’s much easier to make a mistake on mobile than on desktop. It makes sense when you consider how much we’re connected to our mobile phones as the home of our personal social channels. We suggest implementing policies that limit mobile access to pre-defined use cases.

Brands should seek to formalize the process of accessing social media accounts as much as possible.

ACCESS

Formalize the process of having designated team members with social media access instead of providing credentials to anyone on the team when they ask. Specifically, we suggest brands track who has access to which accounts at which times, why they have access, and also when those team members access each social media channel. We suggest allowing access to your brand’s social media on a “need-to-know” basis: scale down access, so that team members only have “top-secret clearance” for projects or accounts they currently work on. If you don’t already have one, you’ll need to devise a system for tracking when team members use their access — and make it a priority to keep it up-to-date.

AUDITING

We suggest brands complete an audit every ninety days over who has access to social media accounts. Take note of who has access to which social media accounts and who has access but does not use it. Ask those team members to verify whether they need continued access.

Remember, a policy is something you have to change, while a process consists of who makes that change and how. When considering your brand’s social media credentials, you need a policy and a clear process.

CREDENTIALING

We suggest rotating your brand’s social media account credentials every ninety days, as it forces you to review who has access to each account and why. For instance, when you change your brand’s Twitter password, you must reissue it to need-to-know parties, a process during which you can ensure each person truly needs password-level access. Once you’ve changed your brand’s passwords for the social networks on which you’re active, keep them in a safe place where more than one person can access them — but again, keep the number of team members who have access limited.

Look for a platform that helps you manage both the internal and external risks that arise when operating social media at scale.

In order to know and control who has direct (native) access to your social accounts:

• Limit access to native social accounts by granting permissions to only the users who need it across both credential management networks (i.e. Twitter) and access management networks (i.e. Facebook).
• Know why users are going native by requiring and logging justification upon login.
• Limit how long a user has native access permissions, or grant ongoing permission.
• Pause native access at any time for any user or account during times of crisis.
• End any user’s session at any time, even if they are currently logged in.
• Provide a complete log of activity at an account and user level for auditing and reporting.

In order to ensure your teams can work creatively, efficiently, and safely on social:

• Scope the right platform access to the right users with robust permission systems and role-based access controls for platform users.
• Prevent unapproved, inappropriate, or ill-timed content from publishing through the platform by creating highly configurable approval workflows and tracking and logging.
• change requests through a task management system.
• Archive all audit trails on every item and action taken in the platform.
• Provide approved creative content for teams to access through in-platform centralized content storage.
• Require labels for consistent social attribution across your organization using a structured labels system that maps to any internal labeling structure.

Maintain best-in-class security standards by finding a platform that:

• Supports federated identity via SAML 2 standard single sign-on.
• Supports encryption in transit via mandatory SSL using modern ciphers.
• Enables security of local logins, including complex passwords, reuse, and expiration settings, IP whitelisting, and session and inactivity timers.
• Maintains annual SOC2 audit and regularly submits to ongoing third party security and penetration testing.
• Has documented security policies and procedures and employee training.
• Supports email domain whitelisting.
• Requires multi-factor authentication (MFA).

In order to stay alert to what’s happening around your brand:

• Identify and monitor incidents for crisis management.
• Track mentions of your brand and key terms to know what’s being said indirectly about your brand.
• Surface where conversations are happening globally to know where to direct resources.
• Create notifications for key influencers, campaigns, topics, and more.

Once you understand risk management, it’s time to put your plan in place, ensure it is streamlined, and adapt it as necessary. In short, be proactive, efficient, and flexible about social media governance. Here’s how:

BE PROACTIVE

Simply put: Your brand has to be proactive with governance if you want to prevent problems. With social customer care, sometimes a reactive stance makes sense. After all, you can’t solve a problem before there is one; however, you also can’t take back a security breach.

Governance involves a set of predictable problems, all of which you can plan for ahead of time, and Khoros can help. Putting a system in place to prepare for a breach allows you to take action as quickly as possible if and when one does occur. For example, keeping an updated log of who had social media account access and credentials helps you streamline the post-breach auditing process.

You can also be proactive with crisis management. None of us know when the next crisis is coming for our brand (wouldn’t that be nice?), but you can still prepare. It’s essential to listen to what’s being said about your brand, not just to your brand — You don’t want to learn about a crisis after it’s already gone viral.

Social media is one of the biggest (and best) places to listen, but there’s a lot of noise. Having a software solution that allows you to find the signal in that noise is important, and Khoros Deep Listening helps you do just that. When you pay attention to social media conversations, you can quickly identify and respond to negative trends before they become outsized.

BE EFFICIENT

It’s crucial to maintain a consistent brand voice, and for many brands, it’s also key to ensure that HR and legal approve all content. Approval paths will streamline this work.

Approval paths are an extra layer of security that will improve your efficiency rather than slow down your content workflow.

We can all think of examples of where approval paths broke down, and a major brand posted “Need Content Here” or similar to their millions of followers.

Khoros software can come into immediate play here. Our Social Marketing product provides flexible ways to move content through approval and workflow paths that make sense for your team. For the times when your users need to go native (which we all know happens), our Vault product provides a centralized yet secure point of entry to native social accounts. Instead of searching through spreadsheets or combing through disconnected, unsecure technology solutions, Vault delivers an efficient way to access these accounts. By controlling access, monitoring usage, and running reporting all in one place, Vault provides an efficient way to know and control who has native access to your valuable brand accounts.

BE FLEXIBLE

You will always need team members to have some capacity for native access to your brand’s social media accounts. Khoros Vault provides audit trails to help with staffing decisions and enable your team flexibility with who has access.

For example, say a team member is in town for a few hours and needs access to accounts. Vault ensures you can give access safely. With our help, you can track and change access nimbly, making you as flexible as possible.

Regarding the spectrum of your brand’s risk, you need to consider what goes through the platform and what to protect in terms of native access. Vault allows you to track that access — and doing anything less, speaking frankly, is negligent. You need the flexibility to scope down access to exactly who needs it, exactly when they need it. It would help if you also had the control to remove that access at any time and require that users state why they’re going native. Vault allows you these safeguards and more.

With these safeguards in place, you can scope everything quickly if the worst happens: You’ll know who had access, when, and what they said they were doing immediately. With Vault, you can track who logs in and when; even better, employees will never see the password and will never have access to it. More critically: With Vault, you can revoke access immediately if necessary.

A social media crisis happening to your brand is a daunting thing to think about. However, this should never stop you from reaping all of the potential benefits these digital platforms have to offer, as they far outweigh the risks involved.

Gain control of social media risk by implementing a proactive plan, tightening up who within your organization is allowed access, and arming your team with the proper tools to maintain proper governance over social media channels.

Fill out a demo to discover more on how the Khoros products can help you.