We're straightforward friends, so let's cut to the chase: "Facelift is safe!" Unfortunately, not all social media management tools can make that claim. Data protection specialist Christian Solmecke joined us to discuss the legal aspects of social media management software. We'll cover the key points, highlight the risks to be aware of, and explain how we address these aspects at Facelift.
Why is social media security important?
Over the past few years, privacy issues have emerged on the Internet and social networks, from payment methods to targeted advertising to fake news. Not a day goes by that many of us don't wonder how safe our information really is, or if the information we see is accurate. These concerns are not unfounded. From grandma nearly sending her life savings to the Prince of Cameroon to shadowy hacker groups attacking entire governments, the idea that social media is something sinister persists.
In fact, according to the German Federal Criminal Police Office (BKA), more than 146,000 cases of cybercrime will be reported in Germany alone in 2021. And those are just the reported cases; the actual number is likely to be higher. Fortunately, security is much better than it used to be, and social networks are pulling out all the stops to stay one step ahead of cybercriminals.
What is Facelift's security like?
Facelift prides itself on working closely with network partners such as Meta and Pinterest to ensure the security of our clients' business data. In short, security is our number one priority.
In short, security is paramount to us. We do everything in our power to ensure that Facelift's security is top notch and that your company, employees and colleagues are as safe as our team can make them on social media.
To address your concerns about Facelift's security, explain our security guarantees, and hopefully reassure you that your social media accounts are safe with Facelift, we'd like to take some time to delve into this topic, explain what we do, how we do it, and what steps you can take to increase your company's security.
Server Location in Germany
Compared to other countries, data protection regulations in Germany are quite strict. In his white paper, Solmecke mentions Ireland, for example, where only small fines are imposed for data protection violations. It's a different story in Germany, where fines of up to €300,000 can be levied if providers violate data protection regulations. The sheer magnitude of this fine threat tends to make providers with headquarters and data storage in Germany more diligent and conscientious.
From a data protection perspective, providers based in Germany have a strategic advantage if all data is stored in Germany. This is the case with Facelift, as all data collected as part of Facelift is stored on servers in Germany.
ISO 27001
ISO stands for International Organization for Standardization. The word order was changed to reflect the Greek word isos – meaning equal – because it would have been IOS in English, OIN in French, and a number of other things in other languages.
This organization, based in Switzerland, operates globally to establish, well, standards. These include everything from food safety measures to copyright agreements, to, of course, digital security for entities operating in online spaces - like us! In the case of facelift, thisframework helps to structure our information security management systems.
First, on the company and customer support side, Facelift is ISO 27001 compliant. You may have seen many sites and businesses claiming to be ISO compliant. It's a nice thing to be and it sounds very formal. But, abbreviations and numbers can be thrown around easily. They sound official but without explanations feel a bit meaningless, no?
This compliance covers some of the many steps we have taken to ensure that we handle your information responsibly and meet international safety standards. These include such items as maintaining SSL protection on our website, to regularly updating our technology as improvements are made.
For more information on our company's ISO compliance, you can read our privacy policy. And, if you'd like to know more about ISO in general and what the certification process looks like, take a look at the TUV Rheinland site.
Social Media Security: Best Practice
We also take security very seriously when it comes to our products. Many of our features are designed to help you improve your social media security.
Access tokens
Access tokens are codes that grant permission for software such as Facelift to exchange information with another platform – in this case your social media pages. These tokens expire periodically for security reasons. This can happen whenever passwords are changed or other account information changes on your social media accounts. There are a few other reasons for token revocation, and many of these are unknown, but all are done for security purposes.
While this feature may feel like a nuisance, it is truly intended as a way to refresh the security of your account connections and make sure that any updates or bug fixes by the social networks are applied properly.
If your access token is going to expire, or has already done so, you should receive notifications via email. How to restore access tokens once they expire, you can learn in our extensive knowledge base.
Login restrictions
If desired, Facelift administrators can apply two-factor authentication to their accounts. This will require that all users use their authenticator tools to log in. While not required, we do always advise taking as many security measures as possible.
Furthermore, if desired, your administrators can also choose to restrict access via IP address. For instance, you can set Facelift to only accept logins from devices using the IP address of your office. Anyone operating from outside the office, including employees at home (unless their IPs are also granted access), would be unable to access your cloud. Administrators are also able to freeze and/or reset all managed accounts, as well as manage password policies for all users. Check out the topic of SSO and Social Logins, as it is important to your security.
Sophisticated user permissions
One of Facelift's best security features is its account management capabilities. Facelift gives administrators a lot of power to create and limit user accounts. While this feature is fantastic for creating clean workflows, assigning tasks within and between teams, and tracking activity, it's also great as a security feature.
New accounts can be given access to aspects of the software that they need. For example, if you hire someone specifically to be your community manager and they work almost exclusively on moderating your followers, you can choose not to give them the ability to publish content. Similarly, junior content creators will need to have their work approved by others before it can be scheduled on your social media pages.
Also, Facelift does not allow users to affect the settings or permissions of the actual social media networks it is connected to. For example, a rogue employee cannot change who your Facebook administrators are, delete your Twitter page, change the "About" section of your company's LinkedIn description, etc.
Proper social media account management
While Facelift itself is secure, there are additional precautions your social media management team can take to keep your company's data and content safe on your end. Larger companies often have multiple users managing social media accounts. On social media platforms like LinkedIn or Facebook, business pages are separate entities from individual user accounts, but individual user accounts are required to manage these pages.
Many companies simply trust their employees enough to give their personal accounts access to the company page for moderation purposes. This is becoming more common as the "bring your own device" work culture grows. We're not here to tell you whether this is a best practice or not, and deciding the best course of action will depend on your own company culture and management style. But for platforms like these that require private manager accounts, here are some steps you can take to be more secure:
- Keep your list of administrators as short as possible. Even if you trust all your employees completely, things can happen. Maybe their accounts get hacked. Maybe they make a mistake when trying to upload their personal content and accidentally publish it to the wrong account. Maybe they just lose their devices. Over time, as new people join the team and others leave, this list can grow. Each new account you add is a potential liability.
- Encourage employees who use their personal accounts to change their passwords regularly.
- Consider limiting the BYOD culture. While there are benefits to allowing employees to work on their personal devices, there are also potential security issues. Company-issued devices can be wiped remotely, passwords can be changed, and they can be recovered when employees leave the company.
A note on Meta
Remember that the Facebook family of programs includes Instagram, Facebook, Messenger, and WhatsApp, so a security issue in one could affect the others. And, all of these can be managed via Facebook Business Suite, so a breach there is even more serious. Furthermore, Facebook is one of those aforementioned platforms that makes individual user accounts essential for running pages, and that almost always means letting at least one of your employees control your pages with their private accounts.
Unfortunately, creating a "fake" user account to manage your company's Facebook pages or Facebook Business Suite accounts is against Facebook's terms of service, so we do not recommend creating "dummy" accounts to serve this purpose. If Facebook gets wind of this, it could result in the deletion of that account (and your page!).
So, we recommend still using normal personal accounts for your page management. Luckily, there is no visible, public link between a Facebook page administrator and their personal profile. There is also no public indicator of who is behind certain content. Private pages are not visible, and no changes are made to your employees' private accounts through any sort of page activity. The only noticeable change is that your page managers may receive some page notifications on their private accounts. These can be switched off in page settings.
However, remember that Facelift does not require anyone to be logged in to their Facebook account and does not require every user to have their own personal accounts linked to their company pages. All it requires is one person with Facebook page administrator status to connect Facebook to facelift.
After that, unlimited Facelift users, regardless of "official" Facebook administrator status, will be able to use the platform on the cloud, making facelift a great way to help your employees keep their private and professional online activities separate.
Single accounts:
Some platforms, such as Twitter, for example, are single accounts. These are in no way linked to anyone else's private accounts. But, if your team consists of more than a couple people, you will still likely place the login info in many hands.
Our social media security recommendations:
- Keep track of every new device and its owner with access to an account. If your company has a BYOD policy, you probably can't control what your employees do with their personal devices, but you can at least know if new logins or region-specific activity is coming from internal sources or bad actors.
- Change account passwords regularly, especially if a user leaves the company or unknown activity is detected. Most social media sites email users when "strange" activity occurs, such as unknown logins.
- Strongly encourage or require administrators to implement strong security measures for their personal devices, such as biometrics (facial recognition or fingerprinting, etc.). You can't force employees to change their personal device settings, but you can prohibit access to corporate accounts on personal devices without these measures.
- Associate your account with verification email addresses and phone numbers that your company owns and controls. For example, socialmedia@company.com, or use the work emails of your social media managers.
- Delete unused secondary accounts: Every unofficial company account is another hackable target bearing your name that a troll could potentially take for a digital joyride. We recommend keeping only the ones you need and use regularly, and that your official social media team controls. While other employees and departments may mean well by creating their own accounts, they often get abandoned, publish off-brand content, and are generally a liability. Unless they are strictly managed by qualified and regulated company personnel, they should be removed or "deactivated.
Social Media Security Conclusion
Keeping Facelift safe and secure for our customers is our top priority, and we're proud to do that not only by providing a secure product, but also by taking our customers' data and security seriously.
Not only that, we want you to be successful on social! That means knowing social media platforms inside and out, helping you understand their features and capabilities, and staying on top of technology changes and trends.
We want your accounts to be secure whether they're on Facelift or not, so keep these instructions in mind the next time you do a security review.
