In honor of Data Privacy Week, the top 5 social media governance mistakes

It amazes me that in 2025, I feel like I’ve been singing the same song for a decade. But in honor of this year’s Data Privacy Week, I’m happy to offer a reprise.

Here are the top 5 mistakes companies make when it comes to securing their social media footprint. If you want to hop straight to the list, scroll down. If you’d like my thoughts on why this happens at nearly every company, here’s my theory:

It all comes down to what I like to call a “gap in understanding.” The departments within the company like Cybersecurity, Infosec and IT do not know enough about how social media channel access is managed to understand that there is something that really needs securing. And most companies dramatically under-resource their social media team (if they have a team at all), which leads to the social team not having time to tackle the massive complex ball of string that implementing secure processes would entail. And they certainly aren’t going to raise their collective hand and ask for more work. Therefore, at most companies (particularly large, matrixed ones) this “gap in understanding” both exists and is never addressed properly.

OK so what are the top 5 mistakes companies make when it comes to managing their social media security and governance?

1. They do not own their stuff. It is extremely common for companies to have one of the following problems, all of which are a version of not owning all of their stuff:

   a. They don’t know how many channels the company has – not a clue.

   b. They don’t know who owns or manages most of them (internal staff or external like an agency).

   c. There is no master inventory or accounting of the channels and who is responsible for each.

   d. They allow their agencies to own either the channels, the ad accounts or both. This is a HUGE no-no (read Why You Shouldn’t Let Your Agency Own Your Ad Account).

2. Password management is in the toilet. Passwords are paramount to any secure system but especially in the land of social media, where sometimes the password between your company channel and the hacker is simply someone’s personal password. If I were to make my personal Facebook password “password123” hackers could hack into my personal Facebook and from there access ALL of my client’s Facebook pages. It’s a huge issue. For other platforms like X and Instagram, if the company has a channel with a login and password, making the password “CompanyName123” is pretty stupid, too.
   
   Companies aren’t managing passwords, rotating passwords, insisting on secure passwords or advising relevant staff about maintaining the security of personal passwords as described above. Most companies also have no SOP or no mechanism for ensuring passwords are changed when there is staff turnover. There are a lot of ways this can go sideways. And it can happen really fast. More on passwords for social here.

3. Knowing who has access. If you don’t know who has access to each of your social media channels at any given time, you have a problem. What if your company were to be sued over something posted on social media? Being able to clearly say who posted an item, who made a specific comment or who approved a piece of content is crucial sometimes if you need to provide proof either for a court of law, a legal investigation or a criminal one by the police. Simply saying to the authorities “Well any one of 20 different people could have posted that” is not good enough.

4. Ill-prepared for “hit by a bus.” It still amazes me that major corporations have social media teams of one these days, but they do. If all of your social media knowhow lives inside a single person’s head, that’s a risk. What if that person got hit by a bus and landed in the hospital? You must have documented procedures. You must have a backup for your one person because that person inevitably goes on vacation, takes a sick day, etc. This is one of the biggest growing pains for my clients – figuring out how to take all of the knowledge in the one person’s head and make it a team operation with consistency and documentation.

5. Too busy to care. I admit, security of social media is not the sexiest topic. I love it personally, but I also understand that it makes most people want to call in sick. But sticking your head in the sand isn’t going to help. The hackers are getting smarter. The systems are getting harder to manage and secure. And the number of social media platforms keeps expanding (hello, Bluesky and Rednote!). This is something that someone at your organization needs to care about. NEEDS to. Smart companies are making full-time positions. If that’s aspirational for you right now, ensure that someone is managing the basics. You should have an inventory of all channels. You should know who manages each. You should know how to access them and ensure the passwords are managed safely and securely. You should care. It's just a matter of time before some of the world’s biggest brands have some disastrous cybersecurity incidents on social because they’ve ignored the gap in understanding. Make sure you are not one of them.

Shockingly, numbers one through four on this list align with my four pillars of good social media governance.

Serna Social is again very proud to be a Data Privacy Week Champion in 2025. All hail the National Cybersecurity Alliance for continuing to promote and discuss these important issues. If you’re interested in Data Privacy Week, there is a great week of free programming to check out, and you or your organization can also become a champion!