Poor SUNY. The Twitter account of this august state academic institution was recently hacked by a porn site. And there are lessons in this for all of us.
The timing could not have been more ironic for SUNY. Their social media policy was forged by committee, replete with a nine-month long task force followed by a review of its recommendations by all 64 of SUNY’s campus presidents. And just as this nearly year-and-a-half-long process was lumbering towards an end, an enterprising black hat replaced SUNY’s wholesome Twitter messaging on June 18 with a fictitious, buxom brunette offering @SUNY’s 18,000 followers the come-on, “Watch me playing on Webcam.”
Users who clicked saw not campus scenes or students engaged in intellectual exploration, but a redirect to localsex2.com, replete with triple-X animations and “nude pictures of women and girls in your neighbourhood.” One wag on Twitter cracked, “in related news, SUNY applications just went up 500 percent.”
The embarrassing content hung around SUNY’s feed for less than half an hour, but the “gift” kept giving for in the hours and days that followed. SUNY themselves tweeted to confirm the hack a few hours after it happened on Saturday, and news coverage persisted until at least Tuesday of this week.
This droll little story isn’t going to end SUNY’s world, but it’s clearly a black eye and potentially an obstacle to revenue – at least a few teens and their parents might have been convinced to look elsewhere for their education. But the consequences of a data breach are potentially devastating for any organization. So what can we learn from SUNY’s misfortune?
- Make sure you’re proactively deploying your best resources. Don’t leave your in-house experts on the bench, and if you don’t have in-house experts that you trust, go get someone from the outside right away. Even SUNY (with its 65 total information technology departments and more than 90,000 total employees) should have done this.
- If you are breached, come clean right away. SUNY did a good job of this, presumably following their own response protocols. This appears to have helped keep the story from having longer legs than it did.
- Everybody’s a target. SUNY is a massive public good that affordably educates nearly half a million people at a time. Graduates go on to become astrophysicists, authors, and artists. So why would someone go after their Twitter feed? Because, as their own expert blogger points out, “Hackers may simply look for high profile social media accounts as a form of visibility of their work.”
- Security and reputation management are everyone’s business. Everyone in an organization is responsible for password hygiene, not just the IT department. Everyone is responsible for looking out for the social media baddies, not just Marketing. Everyone needs to hold each other accountable for following company policies, not just HR. If you don’t have confidence that all of your employees are taking all of these issues seriously, maybe it’s time to look at your policies and procedures.
- Every company needs to think like a tech company in this environment. SUNY has some big ideas and a deep bench of technology expertise, but its approach to social media could not be more different from that of a modern, entrepreneurial startup. It took SUNY 17 months to go from committee formation to review of the draft policy by 64 campus presidents. That was more than enough time for some weirdo to embarrass them on Twitter. Who knows what other information technology threats arose during that time?
In your organization, you might not have the resources of a SUNY. But that isn’t necessarily a bad thing. Your business can probably follow rule #5 more nimbly than SUNY, and you can get help by bringing in affordable, trusted expertise from the outside. The key is getting a strategic partner who will quickly but deeply assess your business to truly understand your reputation, then create solid, actionable strategies you can follow to protect yourself in this increasingly uncertain digital age.