Unmeasurable brand and reputation damage from hackers accessing brand social media accounts is a real risk marketers need to think more about
“Unmeasurable brand and reputational damage” is a big risk brands face from seemingly simple hacker attacks on their social media accounts, one cybersecurity expert claims.
The comments from cybersecurity expert and Cerby chief trust officer, Matt Chiodi, followed news last week of Disneyland’s Facebook and Instagram accounts being hacked. Undertaken by an individual claiming to be a ‘super hacker’ and calling himself ‘David Do’, the posts featured a raft of offensive content, which several US media sites were able to capture, containing racist language, slurs and references. The hacker also claimed to be the inventor of Covid-19.
The first offensive posts appeared on 7 July at 3.50am local US time and were quickly removed by the entertainment company after it worked to secure its social media accounts. Disney’s social accounts have more than 8 million followers.
In an 8 July statement confirming the social media account hack and its efforts to deal with the cyberattack, Disney labelled the attack “reprehensible”.
“Disneyland Resort’s Facebook and Instagram accounts were compromised early this morning. We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the Disney statement read.
Chiodi has spent the past 20 years in the cybersecurity space, working for companies such as Palo Alto Networks, RedLock, Cognizant, Deloitte and eBay. During his time as chief security officer of Cloud at Palo Alto Networks, he led a group of security researchers exclusively focused on public cloud concerns. He’s now the chief trust officer for Cerby, which produces security technology to better protect applications that don’t fall under enterprise-grade IT security checks and balances.
Chiodi told CMO there are four common ways in which social media attacks like this happen. The first is weak passwords that are easy to guess, while the second is passwords used across multiple applications that form part of a breach. A third risk is phishing campaigns, where a user is lured into clicking on a link that takes them to a fake login page that looks like Instagram or Twitter and allows cyberattackers to harvest passwords. Disabled two-factor authentication is the common thread across many of these cases.
“While there is a lot of talk about going passwordless in the future, passwords are not the issue. It’s the end-user’s mismanagement of them that’s the challenge,” Chiodi said.
As to why social media accounts are a prime target for cyberattacks, Chiodi argued none of the prominent platforms offer robust authentication options to their billions of users.
“Social media attacks happen because none of the platforms support common identity standards like single sign-on and systems for cross-domain identity management for automatically adding and removing users,” he said. “This is unacceptable for tools so critical to enterprises and democracy.”
These standards are known as SCIM. “These two standards are the bread and butter of what keeps many enterprise crown jewel applications secure. But none of them are supported.”
Then there’s the value of social media advertising itself. As the second biggest market in digital ads worldwide, with revenues of US$153 billion in 2021, according to Hootsuite, attackers are taking notice.
“Until these problems are solved, we should expect to see these types of social media attacks continue to expand and negatively impact brand trust,” Chiodi said.
Chiodi agreed the consequences of these attacks can cause “unmeasurable brand and reputational damage” to an organisation. A key contributor in this case is the fact consumers consider social media a ‘trusted’ channel.
“If they [hackers] are able to breach an account, yes, they can make the brand look bad by saying nasty things,” he continued. “But what’s more lucrative is redirecting ad spend and getting your consumers to click on phishing links so criminals can then harvest your customers’ personal information and resell it on the dark Web.
“If an attacker can breach these platforms, they can not only redirect ad spend, they can also launch phishing campaigns.”
As an example, Chiodi posited an attacker taking over the social media presence of a large consumer brand.
“They post an innocent-looking post with a link. When thousands of consumers click on the link, they are taken to a phishing site where sensitive information such as usernames and passwords and other personally identifiable information can be harvested,” he said. “The scenario becomes even more risky when the attacked companies operate in sensitive fields like healthcare and government.”
Exacerbating the issue are security chiefs and IT teams who are largely unaware of the elevated risk of what Cerby dubs these ‘unmanageable applications’, such as social media. Cerby defines such applications as ‘unmanageable’ because they lack support for common identity standards essential in enterprise security strategy.
“Sure, they [IT and security teams] know there is a risk to the brand if a social account is compromised, but until recently, there wasn’t much they could do other than to tell the marketing team to use a password manager or a privileged identity/access management tool [PIM/PAM],” he explained. “The rub? These tools, while lightyears better than using sticky notes and spreadsheets, in the case of PIM/PAM tools, require marketing teams to learn a new tool that is painfully not user-friendly.
“Password managers are great, but like PIM/PAM tools, they do not automate remediation of common social media security hygiene tasks like enabling two-factor authentication and strong passwords or help securely sharing access to social accounts with agencies and other third parties, such as influencers.”
Chiodi’s advice to marketers on steps they can take to be prepared for such a cyber hack is first and foremost to ensure two-factor authentication is enabled universally across all social accounts.
“Put a process in place to regularly ensure it is not disabled,” he advised. “This is an extremely common problem when a critical task like this is not automated. When enforcement is automated, two-factor authentication would alone eliminate the vast majority of breaches.”
Second, marketers need to be proactive and vocal with security teams in expressing their needs when it comes to efficiently and securely managing access to their social accounts, Chiodi said.
“If this second step is not done, security teams will often default to their standard sets of tools, like PIM/PAM and password managers, and marketing teams will be left with a solution that is at the least more painful and, at the worst, no more secure than when they started,” he added.
You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page
In the third and final episode of our 3-part CMO50 video series exploring modern marketing and why it’s become a matter of trust, we’re delighted to be joined by Telstra’s former CMO and now digital services and sales executive, Jeremy Nicholas, and Adobe VP Marketing Asia-Pacific and Japan, Duncan Egan.
Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.
Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?
As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.
