AP’s Twitter Hack: This Isn’t About Twitter’s Security Protocols, It’s About Yours
Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.
This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.
As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:
- Twitter account hacks are now “business as usual” for the social network. It seems every week there is news of another Twitter account hack (see CBS 60 Minutes, Burger King, Jeep, not to mention Twitter’s own breach). Clearly, Twitter needs to do more to enhance its own security protocols — two-factor authentication is sorely missing from the social network’s arsenal – but Twitter can’t take all the blame. Companies need to accept the existing limitations of the social network and reinforce their social media efforts with better security practices of their own.
- There are relatively easy ways to reduce the risk. The frequent Twitter account breaches also signify a larger trend of poor security behavior when it comes to social media. Easily discoverable passwords, shared accounts, minimal governance, and no security oversight are common reasons why recent social media hacks were successful. An effective spearphishing campaign opened the gates to the Associated Press Twitter account. These are relatively easy issues to fix, especially when you consider some of the much more complex security threats that exist today. They’re not completely solvable, but basic security protocols, such as using strong passwords, restricting access rights, and better awareness training would vastly improve your security posture.
- Security and risk pros avoid the conversation today. Still too often S&R pros seek reasons to block social media altogether at the company and do not try to join social media strategy discussion. As much as they would like to do this, completely blocking social media isn’t practical or effective (as I’ve pointed out before). Moreover, current security awareness efforts that can promote and educate the company on effective security behavior are insufficient and often seen by the security team as unimportant. In fact, according to our Forrsights Security Survey, security awareness initiatives fall towards the bottom on a long list of security priorities (10th on list of 15 possible initiatives).
Remember: This isn’t about Twitter; it’s about your own security and protecting your own company’s brand and reputation. The only way this can happen is if security and risk management become regular parts of the social media conversation, and conversely, when the security and risk management start to value social media as an important business tool with real benefits, and real consequences.