Using social media securely

Follow this guidance if you work in a social media communications team and you’re responsible for setting up, posting content to and managing social media platforms at your public sector organisation.

This guidance will help reduce the likelihood that damaging content is published on your social media accounts. The Central Digital and Data Office (CDDO) developed this guidance based on the NCSC protecting what you publish guidance and the Cabinet Office social media security policy.

Please email securing-gov-services@digital.cabinet-office.gov.uk if you have any questions or comments.

How to meet the NCSC security principles

The NCSC protecting what you publish guidance recommends you must:

1. Use reputable social media platforms and tools which provide good security features.
2. Only authorised staff can publish content.
3. Make sure there is a content approval process in place.
4. Set up account access logging and non-repudiation.
5. Put emergency recovery plans and processes in place and test them.

The person responsible for the social media management in your organisation must take the following steps to protect social media accounts.

1. Use only reputable social media and analytics platforms with good security features

You must make sure you only use social media and analytics tools which support:

• 2 Factor Authentication (2FA)
• account recovery
• notifying you of any issues or incidents
• reporting of issues though an incident response mechanism
• data protection legislation like GDPR

You must know which social media platforms and analytics tools your staff are using, keep a record of any changes and decommission any accounts when they are no longer used. You must ensure the social media platform is approved by your Information Assurance team.

2. Make sure only authorised staff can publish content

To control access to your social media accounts do the following.

1. Appoint someone responsible for user access and password management to make sure this is done in a controlled manner. Keep the number of team members with the ability to set up social media accounts and give people access to a minimum.
2. Use a social media management tool if you need to manage simultaneous access to multiple social media platforms securely.
3. Turn on 2 Factor Authentication (2FA) for all social media accounts. Use a reputable authentication application and not text messages to receive codes.
4. Set up alerts about unrecognised logins within your social media platforms, if not turned on by default.
5. Create a register of who has access and update this register at least once a month even if there is no change to who has social media access.
6. Create a policy which only allows staff to publish content on social media using corporate devices, if your organisation does not already have one.
7. Remove access for staff when they leave and change any social media account passwords they had access to immediately.
8. Close any accounts that are no longer used or have been inactive for a while, to avoid them being hacked or used to compromise active accounts.

Advice on using passwords

We strongly recommend securing your social media passwords using a password management tool.

A password management tool will provide a secure vault to store the social media account passwords so users can access social media accounts without knowing the actual passwords. Password management tools can also provide password rules for creating “tough” passwords and stop the need for staff to share passwords through emails or other ways in which they may be compromised.

Consider using a Privilege Access Management (PAM) solution

This will help to mediate privilege access to social media accounts, including:

• eliminating shared credentials by storing passwords in a digital vault which requires users to login individually for access
• automating and enforcing password changes

Avoid storing passwords in encrypted files

If there is no alternative but to store passwords in a file, you must encrypt the file and only share the password for the file with authorised recipients using an “out-of-band” channel like a phone call or text message. Discuss this password management arrangement with your local Senior Security Advisers (SSAs) or equivalent and Information Assurance team.

Note: Never store passwords in files that are not password protected, or in shared, unencrypted documents on servers. Unauthorised people may get access to these files.

Refer to the NCSC Password administration for system owners for more help setting secure passwords.

3. Make sure a content approval process is in place

You must make sure content is approved before being published. This will help to minimise the risk of accidentally or deliberately publishing incorrect content which could cause reputational damage. You must do the following to make sure appropriate content is published.

1. You must develop a formal process to define the roles of staff. You must set who can draft, review and approve content before this gets published.
2. This process can be done using a manual log of activities (document with dates, names and tasks) or within the workflow of a social media management tool.

Formally agree a process around maintaining the manual log of user activities about content creation and approval. This process must make sure logs are protected from unauthorised changes. The log must only be editable by an appointed person who is responsible for maintaining this. All other team members should have read-only access to the log.

Social media management tools can provide automatic content approval workflows and extra level of user activities tracking for non repudiation. Review social media management tools on the market to see how these meet your business needs and the recommendation made in this report.

1. Avoid publishing content natively on social media channels unless there is an emergency or other core business reason.
2. Always check content after published to make sure it’s the content that was originally signed-off.

4. Set up robust user authentication and account access logging for non-repudiation

It is important to be able to track who or what has posted content on all your social media platforms at a specific time and date, and to what extent this can be attributed to an identifiable individual. The ability to record irrefutable events associated with personal actions significantly helps in any security incident investigation.

When multiple users access social media accounts, consider using a:

• social media management tool with a robust logging capability which captures who pushed content on the channel and when
• PAM solution to trace account activity

PAM tools can create a record of activity on social media accounts to trace all posts directly back to individual authorised users. This helps identify weak areas of security as well as rogue employees who may be posting damaging content.

Note: Avoid posting content directly to social media platforms as this makes it hard to track who has posted content. Wherever possible you must use a social media management tool which can provide this audit capability for you.

5. Put emergency recovery plans and processes in place and test them

You must make sure you have a documented and tested recovery plan to follow in the event of an incident. Your social media teams must know their responsibilities as documented in this plan. You must have processes to identify the root cause of an incident and apply lessons learned on current security practices.

Forgetting your password

Your social media accounts must be set up with contact details of a role-based account, which can be accessed by trusted individuals to reset the password and get access to an account. Do not use individual accounts like jane.smith@yourorganisation.gov.uk.

Internal account breach

Where anyone with authorised access to the account has published damaging content, you must be able to quickly revoke their access remotely. You can do this by logging out of all sessions and changing all passwords related to the account.

External account hijack

If your account is hijacked by an attacker and you are locked out of it, you must have a step by step process to regain control of the account. It is essential that you have a point of contact with the social media platform owner to escalate any issues with the recovery activities. If an attacker has accessed the account recovery information, then the only recourse might be to contact the social media platform owner.

Test your plans

Test the recovery plan regularly. Make sure you know in advance who to contact, and what information you'll need in order to identify yourself to the social media platform owners.