Responsible Twittering Wed 05 Aug 09
The company's security issues are well-known, but users also need to be more responsible about what they tweet.
Twitter, the popular social media app was recently awarded a Pwnie (pronounced "pony") at the BlackHat Security Conference. The reason for this rather dubious honor was due to what some call this year's biggest security failure. Apparently, a hacker was able to gain access to confidential documents by hacking into the e-mail account of Twitter Chief Evan Williams.
Prior to this, a similar incident occurred where someone hacked the password of a Twitter administrator and gained access to user accounts, including that of then President-elect Obama.
While this highlights the risks associated with applications in the cloud, it isn't the only security risk associated with Twitter. In addition there are risks with people spoofing other identities, risks of people disclosing sensitive data and people creating risks by talking about some of their activities.
Bank of America and ExxonMobil are two well-known companies where people falsely claimed to be speaking for these companies on Twitter. Bank of America discovered this through their use of Twitter for help desk functions while ExxonMobil only learned of this when a reporter called to ask about its use of Twitter.
Imagine the issues if someone setup an account under your company's name and start dealing with your customers? Since Twitter doesn't verify identities (yet) people can claim to be anyone they want, such as Edgar Allen Poe or even the Dalai Lama. I'm not sure, but I suspect God on Twitter may not really be God, but if his Twitter bio proclaims, "Hell yeah, It's me!," it must be true, right?
Another type of security breach is someone disclosing sensitive information. Congressman Pete Hoekstra, R.-Mich., was accused of disclosing sensitive information in advance of a trip to Iraq. While political consideration cannot be discounted in determining whether or not this was a real security breach, it does highlight the potential problem. Are you really sure one of your employees wouldn't accidentally disclose confidential company plans?
We also need to train our people not to disclose seemingly non-sensitive data. I've seen reports of people returning from trips to find their home burglarized, and then they wonder if all of those tweets about what a wonderful time they were having on vacation tipped off the robbers. While this is a bit of a stretch, it is possible. Imagine someone in your company talking about a business trip to a location that just happens to be the home of one of your major competitors. Is this employee inadvertently starting speculation about a sale or takeover?
A lot of this is due to the immaturity of Twitter, the social media in general and the people that use Twitter. I'm not referring to anyone's social behavior (I'll let someone else address that issue) but to the progress of social media as a fully-developed application. Twitter started out as a simple, fun application to answer the question "What are you doing?," and people used it to answer that simple question.
However, as Twitter has grown and the possible uses of it and other social media has expanded, it's time that it mature into something that can support these expanded uses. Likewise, users have to be aware that the interaction has grown beyond what are you doing. Security and security awareness is part of this maturation process.
Some of these issues are clearly the responsibility of Twitter, such as having its admins use strong passwords, protecting documents and verifying identities. As, Twitter's Security Dilemma, Tpoints out, the company really does need a Chief Information Security Officer. A CISO is needed not only to fix the security issues but, just as importantly, to try to regain some credibility for Twitter and to demonstrate that is has utility beyond just being a personal application.
Interestingly enough, Twitter is considering offering verified identities as a potential revenue stream, not as a security provision. Presumably companies would be willing to pay to be able tweet as verified accounts. Until then, we may have to warn our employees about spoofing and to not disclose sensitive information just because someone claims to represent a trusted partner on Twitter.
Security firm F-Secure says Twitter has started filtering Tweets that contain links to known malware sites.
We in the corporate world have some responsibilities too. First, we have to continue to encourage social media companies to improve security and reward those that do by adopting the more secure applications. Second, we must continue the neverending efforts to educate our employees about password issues, disclosing information and the proper use of social media and all the other security actions.
I'm a believer in social media and its potential for use in the corporate world. I just hope that the developers of Twitter and other social media along with the corporate world recognize the issues and work to fix them before it kills social media.
"Twitter bird icon illustration" by Matt Hamm
If this topic was of interest, you might also like these:
Mike Schaffner directs information technology for the Valve and Measurement Group of Cameron in Houston and aims to infuse a business-based approach to IT management. He also blogs regularly at Beyond Blinking Lights and Acronyms and you can follow him on Twitter at mikeschaffner.
This article is also posted on Forbes.com. Feel free to join in the discussion either on this site or at Forbes.com