Social Media - Channel Security
As I approach the end of my ten year term working in digital for Ford Europe I'll bang heads one last time on the subject of account security.
There are two types of social media accounts
- Ones where a password exists.
- Ones where no password exists.
An example where a password exists
A Twitter account: to create a Twitter account you "Sign Up" and in that process you are asked to choose a username and password. There is no way to create a separate account from within an already existing account.
Once an account has been created there may exist, as there does with Twitter, the possibility to give other users access to the account without giving them the account password: but a password does still exist.
An example where a password does NOT exist
A Google Brand account (used mostly for YouTube): a brand account is created when signed in: not by signing up.
During the brand account creation process no separate password is created. The creating (owning) account has access to manage the brand account and other user accounts can be given access to help manage the brand account, but no password for the brand account exists.
A password is like a KEY. A key is something you HAVE.
Why no key is the best key
People like THINGS, it's what they are used to. People have KEYS for things they care about: to gain entry to their home, to their car etc. They understand that the key gives entry to something of theirs which they value and it should be looked after.
But keys can be copied, duplicated, shared. The best key is no key.
But there is a key right? ..... the account that created the brand account does have a password: it does have a key.
Yes but that is MY KEY. And this is where security for the brand account comes from.
MY account contains MY STUFF. Lots of my stuff. MY PHOTOS, MY DOCUMENTS, MY STUFF!!!
I could not. I would not. Lend, duplicate or copy my personal account key (my account password) for others to use. No way. I look after access to my account. I have two factor authentication turned on. I use a very secure password which is not written down.
That is what secures brand accounts created through a user account.
The industry problem
"Hi Robert, could you add this email as a manager for the brand account please? ..... someteamofpeople@somestupid.agency - That's the email for our team shared Google account. Thanks!"
This happens often. It's chronic. So what is the problem?
It is someone's job to make sure that only the people who need access to the brand account have access.
They way to do that is to give each individual user access through an individual account. No shared keys.
An account that person is invested in. An account where that person would adamantly refuse to give the keys up: their personal account.
Giving access to a shared account, would be like adding a shared key for the brand account.
Worse it is a shared key with little to no personal value. Does the new person in the team need access? Email them the password! Who has an overview about who has access? No one. It's a situation where it's not possible to say with certainty who does and who does not have access.
No key is the best key
The current account owner, the person who's job it is to control access, possibly for an agency on behalf of the client, should be able to see at a glance who has access.
Any "MANAGE PERMISSIONS" button, like the one in the screenshot above, should show each person who has access.
Shared accounts, with shared keys should not be given access as they do not represent individuals. It would no longer be clear WHO has access.
Conclusion
It is hard to take a stand. Explaining again and again why you will not add a shared account as manager is a big pain in the arse.
You either take the security of the accounts you are responsible for seriously: or you don't.
Add your comments below, or on this Telegram post.