Twitter was named ‘word’ of the year in 2009 confirming the growth of a social networking and media site that is used by over 350 million people worldwide. However, Twitter is also gaining a reputation as a security risk for individuals and organizations.
Cybercriminals follow social networking sites with a passion because they see in Twitter and other social networking sites a huge opportunity to make money and commit fraud. Although spammers, scammers and malware creators are the root of the problem, end-users of the service are equally dangerous because, ultimately, it is what they do with Twitter that counts. If Twitters paid attention to what they are doing, listened carefully to warnings from security experts (their IT team at work) and did not trust every follower who sent them a message, there would be no reason to be concerned.
Unfortunately, humans are the weakest link in the security chain. Add to that a lack of education and little or no awareness of security and you have the right combination for something to go wrong.
So what are the risks and what can organizations and users do to limit such risk?
Data leaks of confidential or proprietary information: Corporate organizations are constantly trying to reduce the channels through which information could be leaked. There are numerous ways to update your Twitter account so it is impossible to block access all the time. The information that could be leaked includes identity theft, credit card fraud, business plans, confidential data, information about facilities, availability of personnel or their schedules.
Malware and viruses: Malware creators see Twitter an as excellent opportunity to spread malware. The use of abbreviated URLs makes it easy for the bad guys to mask links to infected sites and to redirect users to websites that they would think twice about visiting. The setting up of fake services could be used to collect credentials and information from that user.
Applications: Users put too much trust in both the people following them and the applications that are easily distributed. These applications, which may be insecure, could be used to steal accounts.
Improper use: Twitter makes it so easy for people to inform their friends and extended network of contacts about what they are doing, where they are and so on. Impulse messaging can be dangerous especially if the user is irate and doesn’t stop to think about the repercussions of his or her tweet. Sending inappropriate tweets is not recommended. From a corporate perspective, employees can be a threat if they post information that could impact negatively on the business, hurt its integrity. A wrong post picked up by such a wide audience could become a PR nightmare for that business.
Customer care: As more and more organizations set up their own accounts and encourage customers to keep in touch, businesses need to be careful how they deal with disgruntled customers who may use Twitter to discuss a negative experience they had. With only 140 characters at its disposal, a business should avoid getting into a slanging match with an unhappy customer on Twitter and encourage the client to use traditional customer care channels. Take the conversation offline.
How to counter the risks?
Every business or organization which uses Twitter (or any other social media or networking site) should have a strong policy in place (and enforced) that clearly states how it should be used by employees.
They need to be aware of the consequences of sending out seemingly innocent tweets which could still get them into deep trouble. In December 2009, a Vodafone employee was fired after his post was deemed by the company to go against fair competition. Drastic? Maybe, but it showed that even a humorous post could backfire.
Some basic rules include:
- Think twice before posting. Employees need to think compliance, integrity, security… then post.
- Access URLs in tweets with care. If there is no real need to check out the site, leave it.
- Show employees what to look out for. How to notice when someone is stalking or attempting to social engineer information.
- Avoid confrontation on Twitter. It is a great tool for customer feedback but a disaster in resolving issues.
- Create a policy in a language that is understood by employees. Have them sign it. There should be no excuses that they did not know what they could or could not say.