The new type of hack

If you're a certain age, you might remember arriving at work to find a small number of emails, all addressed to you personally by people you knew.
 
Then you received your first spam. Fifteen or so years later, anti-virus software and protection from malware and 'phishing' for personal identification details are a fact of life.
 
Something similar may be about to happen with hacking of corporate social media feeds and websites. 
 
It made headlines in February when a tweet was posted on the Twitter account of fast food restaurant chain Burger King claiming it had been taken over by arch-rival McDonald's.
 
A month earlier, an intern at HMV had taken over the music retail chain's Twitter account to tweet critically about the way staff were being dismissed.
 
Facebook, Microsoft, Apple, The New York Times and American television network NBBC have also had their websites hacked this year, while the Dow Jones index fell sharply after the Syrian Electronic Army erroneously broadcast in the Twitter feed of Associated Press news agency that President Obama had been injured in an explosion at the White House. Even the Facebook page for Peppa Pig World fell victim to a hacker who left abusive messages on the site.
 
But for each such high-profile case, social media experts say many more are taking place unreported at UK companies every week.
 
And, with the essence of social media demanding that it is open, accessible and transparent, hacking is rapidly becoming a major concern for companies.
 
'Just as every brand has to be online, every brand nowadays has to be on social media,' says Justin Pearse, head of innovation at integrated marketing agency Bite Communications. 'The issue is control of the channels.'
 
Who are the social media hackers? Chris Woods, head of digital at reputation, communications and public affairs consultancy Hanover, says there are essentially three types of hacking.
 
There are 'hacktivist' attacks, hacking by organised criminal groups and state-sponsored hacking by countries.
 
'Taken together, this is definitely an issue that's just going to increase,' he says. 'In the short-term, some companies that are not on social media may not make decisions to get onto such networks because of things like this.'
 
The HMV episode, moreover, showed up a fourth category: disgruntled current and former employees.
 
'It's not necessarily going to be some whizz-kid in China hacking into your computers,' says Richard Cook, director of digital, media and technology public relations firm Champion Communications.
 
'It's more likely to be someone you know. It's the elephant in the social media room that companies don't like to talk about.'
 
This is not an issue confined to Twitter and Facebook, with more than 600 different social media platforms now active in the UK.
 
In addition, hackers are helped by the reality that many people still use one password, based on obvious and easily-discovered personal information, for all their internal and external social media accounts.
 
Recent surveys claimed that more than one in eight people still use 'password1' on all their social media sites, including the ones they use at work.
 
'Hacking of corporate accounts will never have a technology solution, as long as the principal weakness is human - the people behind the keyboards,' says Alex Pearmain, director of communications agency Brands2Life.
 
'The majority of recent cases have involved vulnerabilities related to accounts being left unguarded, or with very obvious username/password combinations.'
 
John Evans, the former head of corporate digital at Weber Shandwick and founder of ATC Digital Communications, says becoming a hacker is getting easier, now that people can download hacking software from the Internet and teach themselves.
 
'The reality is that many small, medium and large businesses are not set up to protect themselves from hackers,' he says. 'Many are still running legacy systems and employ people not equipped with to deal with the modern threats of hacking. Many companies are unprepared and therefore highly vulnerable.'
 
So what can companies do to protect themselves from hacking attacks?
 
Pearse believes companies need to take a grown-up approach to social media, with passwords held centrally by one person and single sign-in technology and password management software employed to make this secure, whilst still enabling shared access to corporate social media accounts.
 
'We've reached a tipping point,' he says. 'Two years ago, some social media accounts used to be managed by the intern or someone else junior because they were the only people in companies who understood social media. 'There wasn't buy-in by the boards of companies. But you don't give the keys to your shop to the 16-year-old who works there on Saturdays
 
'It's all about putting in processes, procedures and technology that can help you be as safe as possible.'
 
Cook advises companies should change their password on the corporate social media accounts every month and have a portfolio of passwords, rather than use the same one for every site. They also need to monitor the access to their social media feeds.'
 
Digital agencies also need to put their houses in order, says Kate Shaw, chief executive of Living Group, a corporate branding and communications agency for the financial and professional services sector.
 
She believes digital agencies need to take precautionary measures at every level to assure clients that information stored about them on their websites and portals is protected from unauthorised access.
 
'Prevention is key and it starts with infrastructure,' she says. 'Partnering with a reliable and reputable hosting firm is essential as they use state-of-the-art firewalls, perform continuous maintenance and updates to their server farms and offer 24 hour monitoring and alerts on detection of any suspicious traffic patterns.
 
'In addition to offering dedicated hosting, clients should expect their agency to offer penetration testing on the products they are building to assess the integrity of web builds, as well as installing secure, encrypted certificates on their websites.
 
'And agencies should not be running any unnecessary software or daemons that could become vulnerable to hacking attacks and be used to run malicious code.'
 
Social media sites themselves are also tackling hacking, with Twitter introducing two-step authentication so that when people set up a Twitter account, they are sent a link and code to enter to confirm it is a genuine account.
 
Members sign on via a unique code sent to their mobile phone, preventing hacking unless someone has their phone as well as Twitter password. 
 
Mark Flanagan, partner for digital communications at Portland, advises high-profile companies and individuals at risk from fake Twitter accounts to contact the firm and ask to use its verification service, which puts a blue tick on genuine accounts.
 
In addition, he says social media sites are now much better at taking down posts if genuine account holders get in touch and report fraud or hacking
 
'Hacking is a fact of life,' he says, 'given the enormous growth in channels and the fact that virtually all of us are now publishers in our own right, owning and managing our own online presences.
 
'Corporates have to take it seriously and that means making sure you have the right processes in place and people in authority in the business who are on top of not just what's being said but of how the site and the channels are being managed day-to-day.'
 
Pearmain agrees, arguing that, while website hacking probably poses greater security risks than Twitter 'hacks,' most corporates need to take the issue more seriously.
 
He says: 'The main thing any responsible social media lead can do is control access through workflow and posting management tools, rather than direct access to the social networks, which allows user access to be revoked more reliably and quickly, in the advent of someone gaining access maliciously.'
 
Some large companies are responding to the threat. Allan Schoenberg, executive director of corporate communications at CME Group, which operates the Chicago Mercantile Exchange, says the company re-examined its security after the Associated Press hacking attack.
 
'Everyone is a target for hacking, whether individuals or brands,' he says. 'We looked at what we had in place in terms of two-step authentication and implemented a monthly password change alert. It was definitely a wake-up call. It's out there.'
 
One concern is that some large companies may dispense with social media agencies and bring all activity in-house to minimise hacking risk.
 
Pearse believes that would set a dangerous precedent. 'There's always this debate, but it's about collaboration between brands and their social media agencies,' he says.
 
'I don't believe you can have as powerful a digital channel if you don't work in collaboration. Social media is a living breathing animal. It never stops.'
 
Abigail Watts, UK and Ireland public relations manager at US technology group Cisco Systems, adds: 'Many progressive organisations actively encourage their employees to become brand advocates and to use social media to amplify their sales and marketing efforts.
 
'With that naturally comes some challenges as it takes trust and an element of control over how and when a message is communicated is lost.'
 
With sensible policies and guidelines in place, she argues that organisations can minimise that risk. It's unlikely to disappear though. 'Nothing is ever 100 per cent secure,' says Pearse. 'This is never going away as an issue.'