When it comes to social media presences for companies, Facebook is still the king. Even though upstart Pinterest is clearly giving Facebook a run for its money, the Facebook page is still the anchor for most companies’ social media strategy. Compared to other social media channels, Facebook is where the eyeballs are and that puts it at the center of the social media universe. For example, Coca-Cola’s Facebook page has 41,679,113 “Likes”, but their Twitter handle has 533,194 followers. Odds are good that your experience mirrors this.
The great thing about this is that it makes it easy for social media marketers to know where to target their efforts: the channel that puts you in front of the most people. The bad thing about this is that it also makes it easy for hackers, criminals, and people who mean your company harm to know where to target their efforts: the channel that puts them in front of the most people.
In the security world, this makes your Facebook page what we call “a high value target”. A successful attack against your page has the potential to do the greatest harm to your online reputation. It also has the potential to do the greatest harm by enabling attackers to use your page to identify and target your customers for attacks that can lead to real financial losses for you and them. This means that the bad guys have the greatest interest in getting control of your Facebook page for their use. Key to using pages safely and smartly is ensuring that you do all you can to remain in keep control.
The good news is that Facebook has some of the most sophisticated security controls available for social media. In contrast to Pinterest, it has a dedicated security settings center with some industry-leading tools at your disposal. The bad news is that these tools aren’t enabled by default, aren’t well known and the relationship between your account profiles and pages can make it unclear how you need to set security for maximum protections.
The important thing is that Facebook pages can be made more secure than some other social media channels if you do the right things. By taking two simple steps today, you can increase the security of your page to better ensure you don’t lose control of it.
- Minimizing the number of administrators (“admins”)
- Increasing the account security options for all admins
The Weakest Link: Admin is Admin
Every Facebook page has at least one admin. When you create one, you are set up automatically as an admin. The admin is important because they have complete control over every aspect of the page.
The idea of an “admin” borrows from a concept that’s been used in computers for decades (you may recognize it from your Windows or Macintosh system for instance) to ensure there’s at least one account that can do anything on a system for maintenance purposes. It is absolutely critical to understand that an admin always has TOTAL control. There is nothing that an admin can’t do on a system and that applies to Facebook pages. An admin has the ability to add or change any content on a page, to add other admins, to remove other admins, and even delete a page.
When you have a Facebook page that you manage and are the only admin, the greatest risk is that you might make a mistake can cause damage to the page. Where this concept gets tricky, though, is when you need more than one person to manage them. Each and every admin that you add has the same total control over that page. When people ask me how they can add an admin to manage content but not be able to delete the page, or add or delete other admins, the answer I have to give is: “You can’t: admin is admin”. All admins are equally powerful and have the exact same control.
This means that your Facebook page security is only as secure as the account of the people who are admins. If one of your admins loses control of their account, you can lose control of your page to whomever has taken control of that account. That attacker can then remove all other admins, completely locking you out from regaining access. The attacker can then delete content, post their own content, and even set the page up to deliver malware to users. Once this happens, you can work with customer support to get control of the hijacked admin account by reporting it through their “hacked” page. Until you get control of the page, though, the attackers have free reign with it, as we saw with Al Arabiya recently.
Because you can’t limit the power of admins, what you should do to help protect your Facebook page is limit the number of admins as much as possible. Ideally, you should have no more than one or two accounts as true admins. The fewer accounts that have this power over your Facebook pages, the less chance of one of them being hijacked and you losing control.
Strengthening the Link: Account Protection Options
Once you’ve minimized the number of accounts that have admin rights to your Facebook page, the next thing you want to do is increase the security of the accounts that still have admin rights to your page.
One thing you should consider is creating special Facebook accounts that are only used for admin of your page and nothing else. Just like I discussed with Pinterest, you should only log in to your admin account on systems that are fully up-to-date with security patches and antivirus.
In addition to creating a strong password for your admin account, you should utilize the enhanced account security tools the platform provides. These tools are a relatively new addition to Facebook and not well-known. But these provide an extra layer of authentication, increased monitoring for unauthorized activity and a faster means to regain control of a compromised account.
To access these options, on your Facebook page admin account, select “Account Settings” from the drop down box in the upper right. One the left-hand menu, click “Security“. This will give you access to the additional account security options (Note: this information is current as of this writing, these options may move or change in the future).
First, you should ensure that “Secure Browsing” is enabled. This will always encrypt your username and password from any device.
“Login Approvals” is very important: this will make it so that an additional one-time code has to be entered each time someone tries to access your account on a new device. The code is sent by text to a mobile phone number. This enables what we call “two factor” authentication by requiring that you give Facebook not just something that you know (your password) but something that you have (this one-time code sent by text to your mobile phone in your possession). This feature significantly increases the security of your account because an attacker would have to get your password AND your mobile phone to access your account from a new device. As devices are approved, you will see them listed in the “Recognized Devices” section and any active session listed in the “Active Session” section.
“Login Notification” will let you know via email, text or both, every time this account is accessed by a new device. You can use this to watch for any unauthorized access and take action right away to regain control of your account.
The “Trusted Friends” feature lets you list up to five FB friends who can help you regain access to your account if you’re locked out. As Facebook’s notes, you will need at least three friends but five is preferred. If you get locked out, you will need to enter three codes sent to these friends to regain control of your account. In picking these friends, you want people you’ll be able to reach quickly.
Taken together, all these options significantly enhance the security of your account. And they do so without significantly increasing the “hassle factor”. They also provide good mechanisms to let you know if your account is compromised and the means to quickly regain control.
Two Easy Steps to Greater Peace of Mind
Comparatively speaking, Facebook has done an admirable job of increasing the security of their platform. For companies, Facebook is still the king of social media channels. And they’ve built-in security capabilities that are fit for a king. The only trick is knowing what’s there and how best to use it.
With these two steps, minimizing the number of admins and strengthening the account security options on your admin accounts, you can significantly reduce your risk factors and increase the overall security of your admin accounts and your page and that should bring you better peace of mind.
Has your company already taken these page security measures?