Social Media Security Best Practices

Social media management goes beyond creating content. Keeping your official UB accounts secure, and ensuring proper protocols are in place to maintain authorized access, are among the most important aspects of account ownership. 

Follow the guidance below to safeguard and strengthen your unit or department’s social media accounts, as well as understand what to do in the event your account is compromised or access/credentials are lost:

Account Administrators

All official UB accounts must have two employees serve as primary account administrators (one owner and one back-up). Whenever possible, adding a third employee admin as additional back-up is recommended to ensure account access is retained in the event faculty or staff leave service. 

Departments should consider adding their Unit Social Media Lead as one of the back-up admins and/or provide access to login credentials to strengthen security.

Unit Social Media Leads should consider adding their Senior Communicator as one of the back-up admins and/or provide access to login credentials to strengthen security.

Students who create content or otherwise assist with social media management can have access to official UB accounts, but cannot serve as one of the primary admins. Additionally, where applicable, it is recommended that students are not provided with full account access/ownership; partial or task access is preferred.

Account Credentials

Email

Use a shared buffalo.edu email address to create and manage official UB accounts, whenever possible. If you do not have access to a shared email address for your department or unit, contact UBIT to request one. 

Be sure that at least two faculty or staff members have access to any shared email address associated with an official account.

Channel Considerations:

  • On platforms that require use of a personal account to create and manage pages (e.g. Facebook), utilization of account management tools (e.g. Meta Business Manager) are strongly encouraged, whenever possible, as detailed below
  • On YouTube, be sure to configure your account as a Brand Account so multiple admins can be connected as owners
    • If you utilize a shared Gmail account to manage your YouTube presence, make sure at least two employees have access to it and credentials are stored in a secure, centralized location

Account Management Tools

All Unit Social Media Leads are strongly encouraged to create a Meta Business Manager account for their unit and invite their portfolio of Facebook and Instagram accounts to join the business.

This will not only help ensure you retain access to unit and departmental accounts, but will also allow page owners to provide admin access via employees’ individual buffalo.edu email addresses, rather than rely on and utilize personal account credentials. 

Business Manager accounts must have two employees serve as primary admins, following the guidance detailed above.

Password Management

When creating a password for an official account, be sure to:

  • Use complex passwords. Passphrases are recommended, using a mix of upper/lower case letters, numbers and special characters
  • Avoid using common UB keywords (department name, office location etc.) or personal information that can easily be guessed
  • Use a unique password for each account:
    • Do NOT use your UBITName password for any social media account you manage. In the event that the social media account is compromised, your UB credentials will also be at risk
    • Do NOT reuse past passwords or use variations of a password across accounts, as it could put all of your accounts at risk in the event that one is compromised
  • Update the password annually, at minimum, as well as anytime an admin leaves service, as detailed below
    • Additionally, when hosting takeovers on your account, be sure to create a temporary password for the individual(s) creating the content and immediately change it following the takeover

Finally, account passwords and credentials should be stored in a secure, centralized location (e.g. Box, Teams), and shared with your primary account admins.

Annual Account Audits

Regular reviews of account credentials and admins are imperative to ensuring security. 

Primary account admins should review and update the following information annually for all official UB accounts:

  • Passwords
  • Current Admins
  • Access to credentials documents
  • Access to shared email addresses
  • Access to native account management tools and third-party social media management tools

Admin Transition Checklist

In addition to performing annual account audits, anytime an admin of an official account leaves service or no longer requires access (including students who contribute to the account), be sure complete the following steps:

  1. Identify a replacement admin for any employee that leaves service, even if temporary
  2. Remove the individual’s admin access and/or change password(s) on each account, as appropriate to the social network and replace with the new admin
    • Be sure to log out of all devices
  3. Remove access to any native account management tools as well as any third-party social media management tools utilized by the unit/department and replace with the new admin
  4. Remove the individual’s access to all credentials documents and replace with the new admin
    • Be sure to add updated passwords
  5. Remove the individual’s access to any shared email addresses utilized on official accounts and replace with the new admin

Multi-Factor Authentication

To further enhance security, it is strongly recommended that multi-factor authentication is enabled on ALL applicable UB social media accounts. 

Review the list of channel-specific resources for detailed instructions.

Employees managing official accounts on platforms that require individual access (e.g. Facebook, LinkedIn) are strongly encouraged to enable multi-factor authentication on their personal accounts as added protection.

Follow UBIT instructions to utilize Duo for multi-factor authentication.

Personal Devices

If you use a mobile device to manage your official UB social media accounts, consider taking the following steps to enhance security:

  • Enable biometric authentication on the device, whenever possible
  • Follow UBIT best practices for additional tips to keep your device secure

Resources

Social Network Security Best Practices and Features

In addition to the guidance detailed above, follow best practices and utilize the specific features available on each social network, as follows:

Account Security and Troubleshooting Resources

If you experience issues logging into your official UB account, use the resources below to regain access. 

Note: If you are unable to regain access to your account using these resources, or suspect that an account has been compromised, contact University Communications in addition to reporting the issue to the channel:

UBIT Social Media Security Tips

For additional tips on staying safe on social media, review UBIT’s guidance.