In this digital age, a brand’s reputation and online presence are woven tightly together. But representing UC Santa Barbara on social media goes beyond tone, messaging, and imagery. Here's how to safeguard your accounts to ensure smooth, secure, and uninterrupted operations.
All UC Santa Barbara affiliated social media accounts must be owned by an employee and registered with UCSB. For security purposes, social media accounts should be managed by at least two accountable employees: one administrator and one back-up administrator. While a student may be enlisted to help manage an account, they should not establish or have the highest level (admin) rights to the account.
Accounts on social media platforms requiring a single login should use a UCSB functional email address with shared access for administrators (i.e. firstname.lastname@example.org). Connect Departmental Administrators (departmental email administrators) can request functional accounts. The account must also be accessible to at least two people, an administrator and a backup administrator.
Social media platforms should be monitored at all times and should never go without an active administrator. If the owner of a social media account is set to leave UCSB, a new administrator should be identified immediately. Ownership should be transferred to that individual and any administrative access the former employee had should be removed. For some platforms (LinkedIn, Facebook), this requires the removal of their profile as an administrator. Other platforms such as Twitter and Instagram require a change of password. Even if your team remains unchanged, it is a good practice to review your social media privacy settings and access and publishing privileges on a quarterly basis.
Multi-Factor Authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in. Learn more about MFA and how to turn it on for many popular websites at twofactorauth.org. We recommend applying MFA to every social media account you access, including any personal profiles used for administering business pages.
As a best practice, plan to change the passwords to your social media accounts quarterly, or immediately after any suspicious activity such as a security notification or when an administrator leaves their role or the university.
Never reveal your passwords to others. Nobody needs to know them but your social media team—not even the IT department. If someone is asking for your password, it’s a scam. Members of social media teams should keep their passwords securely. As with all passwords, don’t write them down and leave them unsecured.
Use different passwords for different accounts, even your email account linked to your social media accounts. That way, if one account is compromised, the others won’t be at risk.
The longer a password is, the better. Focus on length over complexity, and use at least 16 characters whenever possible.
To make passwords that are hard to guess but easy to remember, use sentences or phrases. For example, “breadandbutteryum.” Some systems will even let you use spaces: “bread and butter yum.”
To increase the complexity of your password, include upper and lower case letters, numbers, and special characters. A password should use at least three of these choices. To make the previous example more secure: “Bread & butter YUM!” The best passwords have punctuation or numbers where they don’t belong. “bo.ok” as part of a password isn’t a book to a hacker trying to crack the password.
Avoid single words, or a word preceded or followed by a single number (e.g. Password1), and don’t use personal information in your password that others know or could easily guess about you (e.g. birthdays, children’s or pet’s names, car model, etc.). If your friends can find it, so will hackers.
Free password managers
Keep your information private, secure, and hidden:
Incident Response and Breach Preparedness
Some of the most common security risks for social media accounts include:
- Inactive/unmonitored accounts: Maintain a consistent presence across all of your social channels. Hackers can target unmonitored accounts and begin posting fraudulent content as your area of campus. (If your account is inactive and you don’t have the resources or plan to resume activity, strong consideration should be given to retiring or indefinitely hiding your page or unpublishing/deactivating the page.)
- How to unpublish a Facebook page
- How to disable an Instagram account
- How to temporarily deactivate a Twitter account
- How to delete or hide a YouTube channel
- Imposter accounts: These accounts can target our community and prospective students with scams and misinformation. Frequently search for your name in Google and on social media platforms to ensure yours is the sole account representing your department, organization or center. Look for accounts spelled similarly designed to trick users.
- Scams/phishing: Don’t answer any public or private messages requesting to obtain passwords, banking details, or other private information.
- Third-party connection apps: While these apps can make managing social media easier, any vulnerabilities can result in a breach where hackers gain access to your secure accounts. Limit your use of these services to one for each account. Manage the passwords for the accounts separately. Remember to shut the account down if you will stop using the connection app.
- Human error: “Employee weakness” is responsible for one in five cyberattacks, according to this survey. Watch out for fake login pages and questionable direct messages — even just downloading a file or clicking a link can put yourself and the UCSB community in danger. Stay updated on recent social media security threats, and always think twice.
If your account is hacked:
Report the issue via the help section of the social network where the incident occurred.
Notify the Office of Public Affairs & Communications.
Acknowledge the incident via your other channels as soon as possible, if applicable, and let them know you are working to rectify the issue.
Report the issue.
Respond to and thank any members of your network who may have initially reported the issue.
For additional guidance, consider referring to this informative and transparent University of Michigan case study detailing the response to an incident in which three of its athletics-related Facebook pages got hacked.
The following takeaways from the incident are outlined in the case study:
- Facebook will never send official communication via Messenger.
- Never enter your password anywhere but facebook.com. Scammers can set up fake pages that look like a Facebook login page, so always check the address bar.
- Watch out for fake pages/apps as well as “official” links using URL shorteners.
- Try to keep the number of admins to a minimum.
- Turn on login approvals for Admin and Editor roles, which adds another layer of security if there is a login attempt from an unrecognized device.
For hacking incidents
Consult these platform resources:
- Facebook: Hacked and Fake Accounts
- Instagram: Hacked Accounts
- Twitter: Security and Hacked Accounts
- LinkedIn: Reporting a Hacked Account
- YouTube: Fix a Hacked Account
Register Your Account With Us
Approved profiles are added to our directory
The university's official social media directory is live! Registering your account not only gives you added exposure but also access to ongoing updates, assistance, and training opportunities.