The arrival of Elon Musk at Twitter headquarters on 26 October 2022, bearing a no-doubt hastily acquired basin to deploy in the service of what can only be described as a dad joke, has prompted seismic changes in the world of social media.
Twitter, one of the longest-established social platforms, has been a touchstone of online engagement for millions of people and organisations for over a decade, but it suddenly faces a very different future – and some of the biggest changes are in the cyber security field.
Musk has long cultivated a reputation for impulsive statements and spur-of-the-moment decisions that have often landed him in hot water – fans would say he typifies fellow social media baron Mark Zuckerberg’s old motto “move fast and break things” – and, to date, he has brought this attitude to bear on Twitter, dismissing employees left, right and centre, and making sweeping changes before just as abruptly rolling them back.
Among some of the more high-profile incidents to befall Twitter in the past fortnight have been the sudden departures of its chief information security officer (CISO), chief privacy officer and data protection officer, and compliance officer; changes to its blue tick verification system that have resulted in a wave of impersonation of high-profile accounts; and, earlier this week, changes to the microservices used at Twitter – supposedly at Musk’s personal behest – that seem to have caused glitches in the platform’s SMS multifactor authentication processes.
At the time of writing, there has been no major cyber incident or data breach affecting users of the platform. However there is a growing perception that Musk’s abrupt termination of thousands of Twitter employees is causing the platform to fray at the edges as various small technical issues start to mount up.
Furthermore, there are already clear signs that Musk’s management style is starting to introduce intolerable levels of risk for organisational users, not least from a brand management perspective. Advertising sector giant Omnicom Media has already advised its clients to halt their spend with Twitter, while the US’ Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), are monitoring the situation closely, as is the UK’s Information Commissioner’s Office (ICO).
An ICO spokesperson tells Computer Weekly: “Compliance with UK data protection law should be a high priority for all companies, no matter their size or stature. We will continue to monitor the situation with Twitter as it evolves, and encourage anyone with concerns to report them to us.”
So, in light of the ongoing issues at Twitter, it feels like the right time to consider whether or not the platform remains a safe place for business users, and what organisations can do to protect themselves should the scale of the potential risk increase. In short, should you be clamping down on Twitter?
“Much has been said about the psychological safety of using Twitter, both before the current collapse of the moderation and ethics controls as well as after,” says Rachael Greaves, CEO and founder of Castlepoint Systems, an Australia-based provider of information governance and risk management services.
“The culture of the company has always leaned precariously over the chasm of risk while straining to reach the high fruits of market saturation and monetisation, with a culture that has seemed to become more tolerant of potential and actual harm to its users over time.”
Certainly, the trust that users hold in Twitter has been badly damaged, and while it may not yet be irreparable, trust once broken can take years to fix and will be less resilient in future.
“I think trust seems to be diminishing quite rapidly,” says Jake Moore, global cyber security advisor at ESET. “Trust has been so heavily featured at Twitter’s core over the last decade.
Jake Moore, ESET
“People use it to corroborate information, to get news out rapidly, and it has built up a level of trust that many people have confidence in. It seems like a huge change that this trust – which you don’t build overnight – has diminished so rapidly.”
Moore highlights the issues with blue tick verification – turning it from a signal that a user is a trusted voice in their field to an $8 subscription service for anybody who cares to spend the money – as a key factor in the erosion of user trust, and says it has put both brand integrity and reputation at risk.
“That blue tick is very difficult to get. I know of journalists who are extremely high-profile who, until two weeks ago, were still struggling to get it. That in itself gave a certain kudos that Twitter only gave the extra form of verification to those who could verify to the highest degree.
“You can’t offer a blue tick like that to everyone,” he says. “It waters down what verification means. And this grey ‘official’ button? So what was the point? You could even start to question if you can trust accounts you know are official, because we don’t know what their security is like, or what their policies are.”
Defense.com’s Oliver Pinson-Roxburgh agrees the blue tick debacle has been a game-changer in terms of trustworthiness, and is opening the door to other sources of cyber risk to users.
“Rather than being traditionally ‘hacked’ via the platform, the biggest issue comes from adversarial information-based attacks, especially impersonation. When all users gained the ability to acquire a blue tick, a core idea at the heart of Twitter changed…It’s open season for personal and professional spoofing and impersonation attacks. Indeed, one notable change will be that the jump in fake accounts will also increase the likelihood, and bring greater believability to, other informational attacks such as phishing.
“Firms are playing catch-up with this new reality on Twitter. Only recently, someone registered a similar username to pharmaceutical giant Eli Lilly, paid $8 for a blue tick and quickly wiped billions off their share price with a single tweet. There was very little Eli Lilly could’ve done to defend against this attack,” he says.
A legal perspective
Matthew Holman is head of technology and data protection at law firm EMW. He agrees with the general sentiment that chaos reigns in the Musk era, but points out that in reality, we know very little about what is actually going on.
Nevertheless, from a legal perspective it is very clear that Twitter absolutely needs to have key security and compliance leaders in place – it has appointed insider Renato Monteiro as acting DPO, though it is unclear what “acting” means in this context.
Even so, says Holman there are increasing legal concerns about Twitter’s data protection compliance and whether it meets the standards of the European Union (EU) and UK General Data Protection Regulation (GDPR).
“I understand why organisations are increasingly concerned about Twitter’s data protection compliance, and whether it still takes it seriously in a world where Elon Musk is in charge, but that’s a view based on mood music; we’ve seen no evidence of breaches that have arisen,” the legal expert says.
Nor, he adds, is there any evidence that processes within Twitter are slipping in terms of their compliance, simply because too little time has passed since the service was acquired.
“There are plenty of signs that data protection and security issues may be coming down the line, but what they are is anybody’s guess,” he says. “An indicative factor is the sudden departure of data governance and compliance officers. That is a concern. Questions should be posed as to what caused them to leave, and whether their departure creates a compliance gap.”
“I wouldn’t be surprised if Twitter found itself an increasing target for nefarious hackers and the equivalent, or people with anti-Musk or anti-US agendas, [or] even disgruntled internal people with a grudge, all of which potentially creates risk exposure for businesses.”
In terms of GDPR compliance, the situation remains highly fluid. During the course of researching this article, suggestions have arisen that Twitter either has fallen or will fall out of compliance with the GDPR’s One-Stop-Shop (OSS) mechanism. This is a clause that allows organisations to engage exclusively with a single lead EU regulator, as opposed to 27 different bodies. In Twitter’s case, its OSS is Ireland’s Data Protection Commission (DPC).
“If the Irish DPC no longer elects to be Twitter’s EU One-Stop-Shop, Twitter would suddenly be exposed to 27 Member States’ independent assessment and enforcement – and potentially separate enforcement from the ICO – so essentially 28 investigations, which from a legal perspective is an absolute nightmare. It is in Twitter’s interests to keep the DPC happy,” he says.
So, should you quit Twitter?
This is the question many business and security leaders will be puzzling over. Do you pull your organisation’s Twitter presence and risk missing out on the benefits of an active social media presence? Or perhaps a more guarded approach to Twitter usage is in order?
Some obvious red flags that may influence a decision would be historic breaches or reports of same, and potentially new products that fly close to the wind in terms of whether or not they comply with data protection law. This second factor poses substantial risk, because if an organisation took advantage of a new Twitter product that was found to be non-compliant, then they may well have to answer for their use of it.
But for now there are many who say this is not necessarily the time to curtail organisational Twitter usage, and nor is it the time to decamp to a platform like Mastodon which, while worthy in its aims, is broadly untested in terms of corporate usage.
“I don’t think it’s time to pack it all in, no. Things change rapidly all the time, and I don’t want to see companies shoot themselves in the foot if Musk has other ideas to sell the platform on, or has something else in mind,” says Moore. “Companies and users alike should err on the side of caution where they can.”
“Don’t rush into anything,” says Elena Davidson, CEO of Liberty Communications, a London-based public relations agency. “Our advice remains to stay firm and not make drastic changes; learn more about the implications of the changes, and don’t change your plans until you are confident in the changes to the platform…Don’t abandon the platform altogether. Take time to develop your strategy based on the facts.”
In the short term, she suggests, it would be wise not to subscribe to Twitter Blue, the paid-for blue tick service, until more is known about what this process entails.
Going forward, says Davidson, it should be impressed on social media teams that there are still plenty of strategies they can deploy to ensure and even heighten trust in their organisations.
“Remember to contribute relevant content backed by third parties which reinforces your brand and credibility,” says Davidson. “Use multimedia such as video and photos to boost engagement and credibility; refer back to other Twitter handles used by your company, executives, partners and customers. This will help build your credibility further. Don’t forget to also cross link back to handles run on other social platforms such as LinkedIn.
Finally, she adds: “Make sure you tag trusted and bona fide third parties in your tweets and posts – this will help further boost your credibility.”
Kaspersky’s David Emm adds: “It is important for businesses to have a clearly defined strategy for corporate use of all social networks, particularly Twitter. This should include who in the business is allowed to have access and use of the corporate account, guidelines in how to use it, including how to respond (or not) to trolls, with an understanding of an escalation strategy to tech teams or legal should it be needed. And finally, the business should review its account security regularly to ensure that the benefits of using the platform aren’t outweighed by the negatives.”
David Higgins, senior director of CyberArk’s Field Technology Office, adds that for some organisations, an even greater degree of caution is warranted: “Those running government social media accounts have reason to exercise caution, given authentication for these is less straightforward. Usually, teams of people within an agency have access to and can post information to these accounts, with passwords commonly shared internally among team different team members and changed infrequently. And that makes them a very easy target for attackers or malicious insiders for disinformation – especially given there is no record kept of who posted what, and when.
Rachael Greaves, Castlepoint Systems
“Security measures for these accounts need to be strengthened, but in a way that doesn’t compromise the speed of critical communications. Options could include eliminating shared credentials, adopting passwordless authentication to access login details, and auditing activity on accounts to monitor for anomalies. Automating credential changes is a must too, so ‘ghost’ employees can’t abuse old credentials.”
Holman at EMW agrees that vigilance is of the essence: “I certainly think caution is merited, along with watching what competitors in the same space are doing and watching what Twitter itself, and the regulators, do.”
But Castlepoint’s Greaves takes a more hardline view: “With the desertion, or expulsion, of key security teams in the last fortnight, the real concern is that the counterweights balancing risk against value will no longer be heavy enough to protect the user base. These teams were actively working to quash scammers, squash bugs and monitor the threat environment. Even if the security controls all stay up, the bad actors have smelled the blood in the water and are all swarming.
“Eventually, one will get their teeth in. As controls decay, even unsophisticated bad guys may find chinks in the armour. There is a risk here to individuals, who may have sensitive information in private messages compromised. And it’s risky for corporations, whose communications on the platform may be deemed ‘records of business’. Citigroup, Morgan Stanley, Barclays, Bank of America, and JP Morgan have all been fined for allowing staff to use messaging apps – and that’s just from a records compliance angle. What will happen when those communications are breached?
“For now, corporations should follow the SEC and CFTS’s advice, and stop doing business on Twitter. Not just to avoid a fine, but to avoid the reputational damage of a major data spill,” she concludes.