Czech government agency issues security advice for social media
Protecting your brand
21 November 2019
The Czech National Cyber and Information Security Agency has issued recommendations for how businesses should manage their social media to guard against identity theft, fraud and reputation damage.
The Key Points:
- Name your official social media account with the same name as your company.
- Your Facebook account should be managed directly by your company. The account should not be used for different purposes and should not be an employee's private account.
- Determine who has access to your official social media account. Limit the number of administrators to a tight group.
- Register alternative names of your official social media account to reduce the chances that attackers will try to imitate your official social media accounts or masquerade as representatives of your company.
- Use two-factor authentication for accessing your social media account such as a randomly generated code sent via SMS or hardware tokens.
- Create an e-mail box dedicated to each social media account that will be used for the administration of the particular social media account only. This reduces the risk of all social media accounts being hacked. Access the e-mail box through secure networks and devices only.
- Do not use personal devices to log into your official social media account.
- Create a strong password for each of your social media accounts.
- Do not use e-mail links or URL shortcuts for logging into your accounts to avoid phishing attacks.
- Do not log in into your official social media account using unsecure or unknown Wi-Fi networks.
- Use VPN when logging into your official social media account outside the office.
- Periodically update all the devices you use for logging into your social media account and the applications you use for the administration of the account.
- Use only trusted applications form official sources such as Google Play or App Store when accessing the social media account.
- Perform audits and checks periodically.
- Always make sure that you have properly logged out of the social media account. When temporarily leaving your device unattended, use a shortcut Win+L to lock the screen to eliminate the risk of unauthorised access.
- Have a clear policy on the use of social media, which reflects these points.
- Have a cyber incident response plan in place. The plan should specify the procedure for reporting incidents internally as well as steps to be taken towards relevant authorities such as the police. It should also consider mandatory breach notification obligations, as non-compliance may expose your company to huge penalties and may adversely affect its reputation.
The Czech Cybersecurity Act and GDPR
The Czech Cyber Security Act and the General Data Protection Regulation (GDPR) include mandatory breach notification. Under the Cyber Security Act, selected entities such as administrators and operators of information systems of critical information infrastructure, operators of essential services and digital service providers must notify security incidents to the relevant authorities once they have been detected. In addition, if personal data is compromised in a cyber accident, the company must notify a personal data breach to the Data Protection Office within 72 hours of becoming aware of it and in some cases communicate the data breach to the data subject (individuals whose personal data has been compromised).
Daniela Benčová, Junior Lawyer, contributed to the writing of this article.