Social Media & Communication Tools

Social media, messaging tools, and online meeting services are widely used by organisations to communicate, collaborate, and engage with customers, suppliers, and staff. These tools can be very useful, but they can also introduce security risks if they are not set up and managed properly. Poorly judged or unauthorised social media posts can damage trust and reputation, while weak controls on online meeting tools can expose sensitive information or allow unwanted participants into business conversations.

Understand the risks

If your organisation uses social media or communications tools, you should be aware of the main risks before deciding how they will be used.

Common risks include:

Unauthorised or damaging content being posted on behalf of your organisation.

Draft, inaccurate, or incomplete messages being published too quickly.

Attackers hijacking accounts or redirecting users to malicious content.

Unknown or uninvited people joining online meetings.

Sensitive information being exposed through recordings, chats, shared files, or what is visible on screen or in the background.

Choose services with security in mind

When choosing a social media platform, online meeting service, or communications tool, security should be considered from the start. Organisations often need plans with stronger administrative and security controls than those designed for casual personal use.

Things to consider when selecting a service include:

Does it support multi-factor authentication (MFA), two-step verification (2SV) or passkeys for accounts?

Does it provide account recovery options if access is lost or the account is compromised?

Does it offer suitable controls for managing multiple users securely?

Does it provide appropriate support for data protection, privacy, and compliance needs?

If you use a social media management or content scheduling tool, does it offer the same level of protection as the platform itself?

Secure your accounts

Accounts used for social media and communication tools should be treated as important business assets. If they are compromised, attackers may be able to post damaging content, access conversations, view data, or impersonate your organisation.

You should:

Use strong, unique passwords for all important accounts.

Turn on MFA/2SV wherever it is available.

Use passkeys where the provider supports them.

Store credentials securely, for example in a password manager, rather than in plain text files or shared unprotected documents.

Switch on account access logging or audit features if the service provides them.

Make sure recovery information is kept up to date and accessible to the right people.

If staff leave the organisation or change roles, their access to relevant platforms and tools should be removed promptly if it is no longer needed. This is especially important for anyone who had publishing or administration rights.

Limit who can publish, manage, and join

Only authorised staff should be able to publish official content, manage key settings, or control who can join business meetings. Clear access control helps reduce the risk of mistakes, misuse, or compromise. You can find more information in our advice and guidance section for Identity and Access Management.

For social media and publishing tools:

Limit publishing rights to staff who genuinely need them.

Avoid sharing passwords where possible. If shared access is unavoidable, use safer methods that provide oversight and auditability.

Make sure staff understand which account they are using before posting.

For online meetings and communication tools:

Only allow direct access to authenticated users and invited guests where possible.

Require passcodes for unauthenticated users.

Use a waiting room or lobby to check participants before admitting them.

Consider restricting access from outside your organisation or from unknown contacts if the service allows it.

Never share meeting links or passcodes in public places such as open social media posts or public websites.

If someone joins a meeting and you do not recognise them, check who they are before continuing.

Review content before it goes live

Social media and public communications can move quickly, but speed should not come at the expense of accuracy, authorisation, or professionalism. A simple approval process can prevent damaging mistakes and reduce the risk of inappropriate content being published.

Your process should:

Make clear who drafts, reviews, approves, and publishes content.

Include checks for accuracy, relevance, and tone before publication.

Require additional review where needed, for example legal, technical, or senior approval.

Reduce the risk of draft or out-of-date content being published by mistake.

Be careful about what you share

Whether posting on social media or joining an online meeting, staff should think carefully about what information they are revealing. Sensitive data can be shared intentionally or accidentally through posts, messages, recordings, chats, shared files, or even what is visible on screen or behind the speaker.

Good practice includes:

Checking your surroundings before joining a video call.

Using background blur or a background image if needed for privacy.

Knowing how to mute your microphone, turn off your camera, and recognise when a meeting is being recorded.

Reviewing privacy settings before using a new tool or feature.

Knowing where recordings, transcriptions, chat logs, and shared files are stored.

Understanding whether AI features or AI attendees are recording, transcribing, or analysing meeting content, what data they collect, and whether you can opt out.

Checking who has access to stored data and how long it is retained.

Use trusted devices

Where possible, staff should use work devices to manage official social media accounts and business communications tools. Managed business devices are easier to secure, update, monitor, and support during an incident.

Use corporate devices to create and publish official social media content wherever possible.

Keep apps and devices up to date so security fixes are applied promptly.

Avoid using unofficial or unmanaged devices for sensitive communications or account administration.

If staff use their own devices, be aware of the increased risk of posting from the wrong account or exposing credentials on a device that is harder for the organisation to manage.

Prepare for account compromise or misuse

Even with good controls in place, accounts may still be compromised or misused. It is important to have a simple recovery plan so access can be regained quickly and damage can be limited.

Your recovery plan should include:

How to quickly revoke access from users who should no longer have it.

How to access account recovery information and support routes for each platform.

Who in the organisation is responsible for responding if an account is hijacked or misused.

What information may be needed to prove ownership to the provider if support is required.

Keep staff aware of their responsibilities

People play an important role in using social media and communications tools safely. Staff involved in creating, approving, publishing, moderating, or administering content should understand both the security risks and the organisation’s internal processes.

Make sure relevant staff know which tools they are allowed to use and how they should use them.

Reinforce the importance of following approval and publishing processes, especially during busy periods or incidents.

Encourage staff to pause and check before posting, sharing, inviting, or recording.