Six ways companies get locked out of their own social media accounts - and how to avoid them

Written By Sue Serna
password+traps.jpg

Sadly, one of the most common social media problems companies encounter is a basic one: they do not know the passwords to their own social media accounts and they are locked out.

While it’s a simple problem on the surface, there are a multitude of reasons companies find themselves in that predicament. Some have to do with infrastructure. Some have to do with processes and procedures. Here’s my list of the six most common reasons companies find themselves locked out of their own accounts – and how to avoid them.

  • Sole owner. It’s extremely common for one person at a company to be “in charge” of social media, and that person is the sole owner of all things related to social, including the passwords. This is incredibly risky because there is no redundancy built into the system. What if that person got hit by a bus and was suddenly in the hospital? Everyone else at the company would be unable to access the social media accounts – possibly forever if the person did not survive (read my post about planning for hit by a bus). In a less-dramatic example, that person might leave the company and take the passwords with them – something especially bad if the person leaves on bad terms. No matter how big or small your business is, there should always be at least two people with access to the social media passwords at all times.

  • Poor password management. There are a couple of different ways your password management can go sideways. First, if you have that sole owner who is responsible for all things social media, he or she may still be doing incredibly insecure things like writing your social media passwords down on a sticky note. If you require that passwords are known by more than one person, you must learn how to securely share them with a team. Many companies use things like an Excel spreadsheet or a password-protected PDF. Those are not secure, especially since most of the time they are emailed back and forth right along with the password to the password-protected document. If you’re serious about best practices, look at a tool like LastPass or Keeper Security. These are very affordable tools that enable you to securely share your passwords across a team of people. (Disclosure: I am not paid by any tool companies to talk about them.)

  • Email fail. One of the biggest mistakes relates to the email address associated with a company’s social media accounts.

    • No-no #1: Do not allow anyone to link any of your company’s official social media accounts to a personal Gmail or other webmail account that is not an official email from your company. If it’s a company social media account, it should be tied to a company email address.

    • No-no #2: Do not allow people to link a company social media account to their own company email address either. I hear you out there saying, “Wait, what?” Here’s why: Let’s say I start a new social media account for my company and I link it to my own work email address, sue@companyx.com. Then I leave the company and I don’t hand over the credentials to the social media accounts before I leave. Anyone who is trying to get into that account can click the “forgot password” link, but those emails will go to sue@companyx.com, which no one is able to access. In fact, if I work at a big company, the IT department may have already shut my email account down entirely when I left the company. The net result is your coworkers will be locked out because they can’t access the right email address to execute a password reset.

    • So what should you be doing then? My best practice is to create a general email address like socialmedia@companyx.com and attach all social media accounts to that email. That way someone at the company will always be able to access the appropriate email account if needed. If you are managing a multitude of accounts, you may choose to set up an email address like this for each account. Then use an auto-forward rule or a PDL to send the notifications for that email address/account to the people who actually manage the account. This has the added benefit of being able to change who gets the emails if there are staff changes without changing the basic infrastructure for the account. It’s a bit more administration and recordkeeping, but it can save you a ton of headaches in the future.

  • Phone fail. Very similar to the email issue above, most social media accounts also ask you to attach a cell phone number to the account. Most people will use their personal cell phone number unless the company provides company cell phones. But regardless of which cell phone number is used, there should be records about which phone numbers are tied to which accounts, and there should be a process/protocol for changing those over when someone leaves the company.

  • Agency ownership. Yet another big mistake is to allow your agency to own your accounts. It is my opinion that your company should always be the owner of all of your accounts (see my four pillars of governance). You can then provision access to your agency so they can do what they need to do. But you should never hand over control of your accounts to an agency. I have seen relationships with agencies sour, and I have seen agencies hold accounts hostage after the fact. (To be fair – most agencies and the people that work for them are wonderful and would never do something like that.) If your agency is the owner of your accounts, get ownership back. If your agency is in charge of your passwords, change that too. And if your agency owns your paid ad accounts, that’s a no-no, too, but that’s a different post.

  • Password protocols. Many companies – especially smaller companies – have very poor protocols when it comes to password management. You should:

    • Have a protocol for changing your passwords every couple of months.

    • Have requirements for the length and complexity of your passwords (X number of characters, letters, symbols, etc.). These should include rules like, the password cannot contain your company/brand name, terms that are easily guessable or passwords like “password.”

    • Have protocols for what happens when someone who knows the passwords leaves the company. Make sure you change all passwords they had access to and update your records.

    • Have protocols for setting up accounts – see email and phone points above.

If you tackle these items, your company passwords will be much more secure and you will greatly reduce the likelihood that you become one of the thousands of companies locked out of their own social media accounts.

Sue Serna

Social media expert.

https://www.sernasocial.com
Previous

Fundamentals of a good social media audit
Next

Four things social media teams need from their leaders in 2021