top of page

Be social but safe with your business

When you are starting a new business, one of the first things on the to do list is to set up your business social media accounts so you can start telling everyone about your exciting new venture .

Smaller businesses often rely heavily on their social media presence to increase awareness of their brand, sell their services and engage potential customers. It's far cheaper than setting up a website and doesn't require an expert in web design. A few clicks and your business is live for the world to see.

However, social media accounts can also present an opportunity for cyber criminals or even disgruntled ex-employees to damage your business. The National Cyber Security Centre (NCSC) has produced guidance on the potential risks and the steps you can take to try and keep your business social but safe.

How your business social accounts might be impacted:

  • attempts to spread misinformation or fake news

  • hijacking for malicious purposes, such as redirecting to malicious websites

  • internal staff who have a grudge posting damaging comments

  • draft, incomplete or inaccurate messages being rushed into the public eye

Control access to your business social media accounts

Implementing a sound password process or policy to control access to your business social media accounts can help ensure that only authorised members of staff can publish content.

Even if the other people in your business are friends or family, it's still essential that you protect your passwords to keep your social media accounts as secure as possible.

Most social media products (including social media management tools) contain additional security features such as two-factor authentication (2FA), so make sure you switch this on. Doing so will protect against attacks on those accounts that are only protected by using passwords.

There may be several people within your business who need access to the social media account, including the ability to publish content. In such cases the NCSC suggest the following:

  • Ensure that account access logging (if available) is switched on. This will provide an audit trail for unauthorised posts, or anomalous access to the account. Use credential protection mechanisms, such as password managers.

  • Make sure passwords are stored securely; do not store passwords in plaintext in files, or in shared, unencrypted documents on servers which can be easily accessed by unauthorised persons.

  • Avoid sharing passwords, if possible. Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight. Some password managers allow users to share passwords in a more secure way (for example, they can audit access to the password and automatically sync password changes).

  • Using Privileged Access Management (PAM) solutions can further protect the social media accounts, as these can help to secure passwords as well as auditing user access.

Managing leavers and movers

If a member of staff with access to your social media account/s leaves your business (or even changes roles), make sure their access to all such accounts is revoked if it's no longer required. This needs to be done promptly - ideally before they move - in case there's any animosity surrounding their departure or move.

Doing this should form part of your organisation's wider process to manage 'joiners, movers and leavers', which should cover managing access to all IT systems. If you're using shared passwords, changing these passwords needs to be carefully managed as part of the leavers process.

Put an emergency recovery plan in place

If an employee (or anyone else with authorised access to the account) is publishing damaging content, you'll need to make sure you're able to quickly revoke their access, most likely remotely. This will include managing access to any password vaults or password managers (where used) which contain corporate social media account access credentials.

If your social media channel is hijacked by an attacker, your priority should be regaining control of the account to contain any damage, rather than trying to correct any malicious content that's been posted. Most social media tools provide the means to verify the owner's account(s) using extra identifying information in the case of an account compromise. Make sure you know how to access this recovery information, and that it's kept up to date. If an attack has also accessed this account recovery information, then the only recourse might be to contact the social media platform owner.

Don't wait until you're in the middle of a real incident before finding what you need to do to regain control. Ensure you know in advance who to contact, and what information you'll need in order to identify yourself to the social media platform owners. For more information about how to recover accounts, refer to the relevant online support pages for your chosen platform or social media management tool.

The full NCSC guidance can be found here Social media: protecting what you publish


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page