Forget two-factor authentication. Forget all the talk about how passwords are inherently weak and how the future is about biometric access to our online account. For my money, the biggest security problem on the social web is in how Facebook requires you to use the same account to manage brand Pages you do for your personal profile.
One of the best things I and the people I know and work with do when it comes to the brand publishing programs we manage is to follow the simple “don’t cross the streams” rule. That means you don’t use the same publishing tool for your personal account(s) that you do for anything business related. So if you use Tweetdeck for your personal Twitter browsing, use Hootsuite for business. If you use SocialEngage for one account, use Shoutlet for the other. Following this simple advice seriously reduces the chances you will accidentally post a personal update on your client accounts, or post something meant for one client to another’s page. These are the kinds of mistakes that result in lost account or lost jobs, so it makes sense to reduce the odds of that happening.
While you can setup different tools to manage different Facebook accounts – Shoutlet here, SocialEngage there and so on – doing so still requires you to log in with your personal Facebook page, through which you are the manager of any corporate/client pages you help with managing and publishing to. And that means if your personal account is hacked, the perpetrators then have access to all those pages. That’s a huge problem.
By using tools like SocialEnage, Hootsuite and others brand managers are able to minimize the security risks. They can give their team and other stakeholders access to those tools without giving them direct password access to Twitter, so while it shouldn’t be understated or dismissed, the worst thing that’s going to happen is someone is able to post an unapproved tweet or two before someone realizes what’s going on. They can’t change account information or do more harm. Accounts can still get hacked, yes, but the risks of wide-ranging damage is minimized.
But once someone has access to your Facebook page they can do anything and everything to your personal profile or the business Pages you manage. They can post anything they want, they can change account information, they can take down posts and do a lot of very serious damage.
This is a huge, gaping hole in the world of social network security, one that has a huge number of potential repercussions. Facebook needs to take a break from figuring out how to get brands to pay for more reach for their posts and rethink Page admin access, including offering the ability to setup some sort of business-level account that brands can use to manage a Page or multiple Pages. Then and only then can this dangerous connection between the personal and professional be severed to the point that Pages aren’t at risk every time someone, through no fault of their own, falls victim to a bad-actor who has hacked their personal account.