In case you missed it, Buffalo Wild Wings’s official Twitter account was hacked last Friday. The perpetrators sent six tweets ranging from racist to puerile before the company regained control. At first glance, this account takeover (ATO) attack appears to be more humiliating for Buffalo Wild Wings than anything else. But, it should not be underestimated. This was likely not a disgruntled insider. Our investigations team identified several earmarks that point to a coordinated outside effort. We will follow up on that investigation soon. But let’s return to the hack: It could have been far worse. ATO attacks are often just the first wave of a larger offensive. Here are just a few ways in which an ATO can be more damaging:
- Brand Impersonation: Attacker retains account control for longer and mimics a brand’s voice just close enough to do lasting reputational damage.
- Mass Malware Deployment: Attackers send followers to malicious links, often on authentic-looking microsites with fake offers, to infect followers’ computers en masse.
- Hack Other Social Channels: Attackers gain access to one channel and leverage control to break into a brand’s entire social presence.
The full reputational impact will be felt over the next quarters for Buffalo Wild Wings owners Inspire Brands in terms of its enterprise value or revenue loss. Other effects may include supplier contract issues, litigation costs, and other variables that researchers have identified as ongoing risks to brand reputation incidents.
The public is now accustomed to this song and dance: brand gets hacked, embarrassing posts ensue, control is re-established, and the business issues an apology. Instead, enterprise marketing and security teams should try to learn from these incidents. Here are three lessons to take away from this latest social media hack:
1. SECURE YOUR BRAND, NOT YOUR CHANNELS
Digital risk management demands a holistic approach. Too often, security policies have been cobbled together piecemeal as companies adopt new technologies. In 2018 the marketing benefits of social media are no longer up for debate. Smart companies, like Buffalo Wild Wings, have embraced social as a way to connect with customers and remain top of mind to build loyalty. But being on social extends a brand’s digital risk perimeter to well outside its firewall. So, the “Fort Knox” approach to digital security is outdated. You can’t defend a citadel when your brand’s landscape is stretched across several islands. Start thinking of digital security in a larger brand context, rather than by channel. At the very least, is your enterprise equipped to monitor all of its internal and external digital channels in a centralized way?
2. GET PROACTIVE
Shift your digital risk management to a more proactive stance. Is your company monitoring key accounts in addition to brand accounts? Is your security team gathering intelligence to anticipate possible attacks before they happen? Do they have the tools to identify the particular signatures of different kinds of attacks? Often attacks like the Buffalo Wild Wings ATO are planned or discussed in advance. Conventional social listening tools employed by marketing teams may miss these mentions or be unable to crawl dark web conversations. Moreover, most tools can report problems or measure the sentiment of social media posts, but they aren’t designed to quarantine malicious posts or issue immediate takedown requests.
3. CHANGE STARTS IN THE C-SUITE
We believe digital security should empower businesses to embrace new technologies without fear. Security shouldn’t be an afterthought, it should be a catalyst. When an enterprise feels safe, it will be freer to adopt new technologies that will improve efficiency, enhance collaboration, and offer higher returns. However, getting to this point requires a change in coordination at the top: bridging the offices of the CMO and the CISO. We often see that marketing elements like social media or collaborate tools like Slack are considered outside the remit of CISO. But as we’ve seen from incidents like the Buffalo Wild Wings hack and others, the time has come for a redefinition. If your security team is only concerned with the company network, how well can it be prepared for everything that lies outside of it?
There's more to come, as our Investigations team digs into the data. In the meantime, what other social media lessons have you learned from recent high-profile hacks? Let us know in the comments!
July 3, 2020