Marketers will need to rethink the balance between security protocols and the free-flowing nature of their marketing plans in light of this week's hacking incidents targeting Burger King (pictured), Jeep, and other top brands.
On Monday, Burger King's Twitter account was hacked to say that the fast-food chain was sold to McDonald's “because the Whopper flopped.” The next day, Jeep's Twitter account announced that the company had been bought by Cadillac. It also posted an image of a man doing drugs with the caption: “We caught our CEO doing this.”
Ed Garsten, head of digital media at Jeep-owner Chrysler, says the first fraudulent tweet was noticed by Ignite Social Media, which manages the account for the carmaker. Ignite immediately contacted Twitter, and it regained control of the feed and deleted the unauthorized posts an hour later.
Garsten and his team, which does not operate the Jeep Twitter account but is responsible for social media at Chrysler corporate communications, assisted the Jeep marketing group by handling media inquiries and telling the public about the compromised account via other social media.
“When you play in the social media space, the possibility of being hijacked always exists – especially for a high-profile brand,” says Garsten. “Preparation is advisable, but it's not foolproof. The best defense is using difficult-to-detect passwords made up of a combination of letters – upper and lower case, numbers, and special characters – and using only one password for one account and changing it often.”
“Those are pretty basic rules of safe online practices,” he adds.
However, Garsten explains that brands give up a degree of control when they use third-party sites such as Facebook, Twitter, and other social media in their marketing initiatives.
“If you are hosting your own site, there are additional security measures that can be taken to help protect your server, but you have no control over the security of third-party sites such as Twitter and Facebook,” he says. “The truth is, no matter what measures you take, your sites and accounts are vulnerable.”
Burger King did not respond to requests for comment.
Agency leaders tell PRWeek that the breaches may result in both clients and firms reviewing their social media management practices.
Aedhmar Hynes, CEO of Text 100, says the rise of corporate identity theft has coincided with the fact that more people outside of IT departments are involved in company-wide password-protected environments.
“From an agency perspective, security has always been important. But there has also been a balance between our need to be agile with our social communications and [ensuring] secure access to the channels that facilitate real-time engagement,” says Hynes. “With these recent incidents, we are certainly re-evaluating this balance and elevating security. Given the need for agility, we will certainly look to greater security protection and training on possible breaches rather than restricting access to a small few, which may just be as counterproductive.”
Hynes explains that brands and agencies may want to maintain an up-to-date audit of who has access to all accounts and passwords or use a randomly generated password service such as lastpass.com or 1password.com. They can also make social, client, and platform account access part of an HR/IT exit-interview checklist that ensures access credentials are changed when an employee leaves the company.
Also, instead of giving several people direct access to owned channels through passwords, she recommends using social media management tools such as HootSuite that team members need to sign up for and access through personal accounts. With that strategy, team members can access their respective social media channels with different roles and permission levels.
Dan Horowitz, EVP and senior partner in Fleishman-Hillard's Washington DC digital group, agrees there “needs to be better governance and processes” in place.
He says clients also need a plan that is coordinated and practiced among departments such as marketing, IT, digital and social media, and legal, in addition to external agency partners.
In the event of a hack, this will help the team regain control, while other departments focus on quickly communicating the breach through secured, uncompromised social media channels as well as traditional media.
“There has been hacking as long as there's been the Internet. But today, once your Twitter handle is hacked, the viral spread of that news goes so wide and fast, that the pressure to respond is so heightened from five years ago,” says Horowitz. “If you haven't planned for something like this, it can feel as though it's too late when it does happen.”
Brands also need to figure out how they would publicly acknowledge a breach, notes Rob Longert, VP of M Booth's FirstWord digital practice.
“You need to figure out the right tone in advance. Burger King was able to be playful in its response, but if you're a brand, such as a financial institution that protects secure data, there is no way that you should joke about it,” he says. “It's important to quickly resume how you were communicating on Twitter before the hack – and Burger King has done a nice job of that.”
On Tuesday, Twitter took to its blog to provide a “friendly reminder” about password protection.
Yet others have countered that Twitter needs to take more accountability and adopt two-factor authentication. This could include a code texted to the account holder's mobile device.
Garsten says two-factor logins would be a definite security improvement.
“It's a double-edged dilemma,” he adds. “It might spark a backlash by those who simply don't want to be bothered. Users will demand at least an option, meaning they're also choosing for themselves what level of security they are comfortable with.”
Yet no matter how many safeguards are in place, a brand will be at risk if employees don't properly use them, explains Josh Hallett, SVP at Porter Novelli's Voce Communications.
“The hacker credo is that it is not the technology factor but the human factor that causes some kind of slip up in these situations,” he says. “The key is to make sure that your policies and procedures are being effectively communicated and adhered to.”