Let's cut straight to the tl:dr: facelift is safe and secure.
There, we've said it.
Here's the long version:
We do everything we can to ensure that facelift's cybersecurity is top-notch and that your company and employees stay as safe on social media as our team can possibly manage.
To better assuage any fears that you have about the safety of facelift, explain our security assurances, and hopefully provide you with the peace of mind that your social media accounts are safe on facelift, and in general, we'd like to take a little time to explain what we do and how we do it, and steps you can take to enhance your security yourself.
The Internet is a mixed bag
In recent years in particular, privacy concerns and other complications have arisen across almost all elements of the Internet, including everything from web payment methods to targeted advertising and fake news. Not a day goes by that many of us don't stop to wonder how safe our data truly is or whether the information we see is accurate.
And that's not an invalid fear. Ranging from that time grandma almost sent the prince of Cameroon her life savings, to shadowy groups of hackers tangling with entire governments, the notion that social media could actually be a very bad thing is a regular theme.
In fact, in 2020, over 50,000 reports of digital fraud were reported, according to eConsumer.gov. And that's just the ones that were reported.
But thankfully, cybersecurity is way better than it used to be, and social media companies are pulling out all the stops to stay one step ahead of cyber criminals. facelift takes pride in working with partners such as Facebook and Pinterest to ensure that our customers' corporate data stays safe.
Here's how we do it:
What does ISO 27001 mean?
First, on the company and customer support side, facelift is ISO 27001 compliant. You may have seen many sites and businesses claiming to be ISO compliant. It's a nice thing to be and it sounds very formal.
But, abbreviations and numbers can be thrown around easily. They sound official but without explanations feel a bit meaningless, no?
ISO stands for International Organization for Standardization. The word order was changed to reflect the Greek word isos – meaning equal – because it would have been IOS in English, OIN in French, and a number of other things in other languages.
This organization, based in Switzerland, operates globally to establish, well, standards. These include everything from food safety measures to copyright agreements, to, of course, digital security for entities operating in online spaces - like us!
In the case of facelift, thisframework helps to structure our information security management systems.
This compliance covers some of the many steps we have taken to ensure that we handle your information responsibly and meet international safety standards. These include such items as maintaining SSL protection on our website, to regularly updating our technology as improvements are made.
That's on the client side – what about the product side?
Social media cybersecurity best practices on facelift
Cybersecurity on facelift itself is something we take extremely seriously.
When you connect your company's social media accounts to facelift, you are asked to provide access tokens, and our software guides you through this process, which in most cases only takes a few moments.
When you do this, you have officially connected your page or account to facelift and data is shared from the social media platform you're using. This flow of information powers your reporting and analytics data in facelift and is essential to the functionality of the product.
This data exchange is encrypted and does not provide a weak point at which your information can be gathered.
Access tokens are codes that grant permission for software such as facelift to exchange information with another platform – in this case your social media pages.
These tokens expire periodically for security reasons. This can happen whenever passwords are changed or other account information changes on your social media accounts. There are a few other reasons for token revocation, and many of these are unknown, but all are done for security purposes.
While this feature may feel like a nuisance, it is truly intended as a way to refresh the security of your account connections and make sure that any updates or bug fixes by the social networks are applied properly.
If your access token is going to expire, or has already done so, you should receive notifications via email.
Follow this link for more information about how you can restore your access token when it expires. It only takes a minute!
If desired, facelift administrators can apply two-factor authentication to their accounts. This will require that all users use their authenticator tools to log in. While not required, we do always advise taking as many security measures as possible.
Furthermore, if desired, your administrators can also choose to restrict access via IP address.
For instance, you can set facelift to only accept logins from devices using the IP address of your office. Anyone operating from outside the office, including employees at home (unless their IPs are also granted access), would be unable to access your cloud.
Administrators are also able to freeze and/or reset all managed accounts, as well as manage password policies for all users.
For more specific information and walkthroughs about keeping your account secure, you can visit our knowledge base here.
Extensive user management controls
One of facelift's finest security features is its account management capabilities. facelift grants administrators a lot of power over the creation and limitation of user accounts.
While this feature is fantastic for creating clean workflows, designating tasks both within a team and between teams, and tracking activities, it's also great as a security feature.
New accounts can be granted access to aspects of the software that they require. For example, if you hire someone specifically to be your community manager and they work almost exclusively in moderating your followers, you may choose not to grant them content publishing rights.
Similar capabilities make it so that junior content creators must have their work approved by others before it can be scheduled on your social media pages.
Also, facelift does not allow users to affect the settings or permissions of the actual social media networks to which it is connected. Therefore, a rogue employee, for example, cannot change who your Facebook administrators are, delete your Twitter page, or change the "About" section in your company LinkedIn description, etc.
Proper social media account management
Even though facelift itself is safe, there are additional precautions that your social media management team can take to keep your company's data and content safe on your end.
Larger companies often have multiple users managing social media accounts.
With social media platforms such as LinkedIn or Facebook, business pages are separate entities from individual user accounts, but individual user accounts are needed to manage these pages.
Many companies simply trust in their employees enough to give their personal accounts access to the company's page for moderation purposes. This is becoming more common as "Bring Your Own Device" work culture grows.
We're not here to tell you whether this is a best practice or not and deciding the best course of action will depend on your own company culture and management style.
But, for platforms such as these that require private manager accounts, here are a few steps you can take to stay safer:
- Keep your administrator list as short as possible. Even if you trust all your employees completely, things can happen. Maybe their accounts are hacked. Maybe they make a mistake and accidentally publish content on the wrong account when trying to upload their personal content. Maybe they simply lose their devices. Over time, with new employees joining the team and others leaving, this list can go un-trimmed. Every new account you add is a potential liability.
- Encourage employees who use their personal accounts to change their passwords regularly.
- Think about limiting BYOD culture. While there are benefits to allowing your employees to work using their personal devices, there are also potential security issues at hand. Company issued devices can be wiped remotely, can have passwords changed, and can be retrieved from employees when they leave a company.
A note on Facebook
Remember that the Facebook family of programs includes Instagram, Facebook, Messenger, and WhatsApp, so a security issue in one could affect the others. And, all of these can be managed via Facebook Business Suite, so a breach there is even more serious.
Furthermore, Facebook is one of those aforementioned platforms that makes individual user accounts essential for running pages, and that almost always means letting at least one of your employees control your pages with their private accounts.
Unfortunately, creating a "fake" user account to manage your company's Facebook pages or Facebook Business Suite accounts is against Facebook's terms of service, so we do not recommend creating "dummy" accounts to serve this purpose. If Facebook gets wind of this, it could result in the deletion of that account (and your page!).
So, we recommend still using normal personal accounts for your page management. Luckily, there is no visible, public link between a Facebook page administrator and their personal profile.
There is also no public indicator of who is behind certain content. Private pages are not visible, and no changes are made to your employees' private accounts through any sort of page activity.
The only noticeable change is that your page managers may receive some page notifications on their private accounts. These can be switched off in page settings.
However, remember that facelift does not require anyone to be logged in to their Facebook account and does not require every user to have their own personal accounts linked to their company pages. All it requires is one person with Facebook page administrator status to connect Facebook to facelift.
After that, unlimited facelift users, regardless of "official" Facebook administrator status, will be able to use the platform on the cloud, making facelift a great way to help your employees keep their private and professional online activities separate.
Some platforms, such as Twitter, for example, are single accounts. These are in no way linked to anyone else's private accounts. But, if your team consists of more than a couple people, you will still likely place the login info in many hands.
We recommend that you:
- Keep tabs on every new device and its owner with access to an account. If your company works with BYOD, you probably can't control what your employees do with their personal devices, but you can at least know whether new logins or region-specific activities are coming from internal sources or from bad actors.
- Change the account password regularly, particularly if a user leaves the company or any unknown activity is noticed. Most social media sites email users when "strange" activities, such as unknown logins, occur.
- Highly encourage or mandate that administrators enact strong security measures for their personal devices, such as biometrics (facial recognition or fingerprinting, etc). You can't force employees to change their personal device settings, but you can forbid access to company accounts on personal devices without these measures.
- Connect your account to verification email addresses and phone numbers owned and controlled by your company. For example, email@example.com, or use the work emails of your social media managers.
Pursue official verification status
Large brands, famous individuals, politicians, and many others have long "earned" these coveted blue badges that adorn profiles on most major social media platforms. These badges indicate that an account is authentic; that it truly represents the name or brand that it says it does and is in general a great way to attract followers and build legitimacy.
But attaining this status can also help your security. An official badge means that your account is the official account bearing your name. It prevents confusion with other accounts with similar names or with trolls, scammers, or other ne're-do-wells that may seek to harm your brand image through impersonation.
And, while no social media platform would likely admit to this, if something does go wrong you are almost assuredly going to receive priority treatment for account recovery and support.
Furthermore, one of the best ways to get verified is also a good security practice.
Delete unused secondary accounts.
Each unofficial company account is another hackable target that bears your name and that a troll could potentially take for a digital joy ride. We recommend that you keep only what you need and regularly use, and that your official social media team controls.
While other employees and departments may mean well by creating their own accounts, these often become abandoned, publish off-brand content, and are generally a liability. Unless they are strictly managed by qualified and regulated company personnel, they should be removed or "deactivated".
Keeping facelift safe and secure for our customers is our top priority and we're proud to do this by providing not only a safe product, but also by treating our customers' data and security seriously.
And not only that, we want you to succeed on social! This means knowing social media platforms inside and out, helping to educate you on their features and capabilities, all while staying on top of changes in technology and trends.
We want your accounts to be safe whether they're on facelift or off, so keep these instructions in mind when you do your next security review.
Do you have more questions or concerns about facelift's security? Did we miss something? Don't hesitate to reach out to our experts by following this link. We'd be happy to set your mind at ease!