The arrival of Elon Musk at Twitter headquarters on 26 October 2022, bearing a no-doubt hastily acquired basin to deploy in the service of what can only be described as a dad joke, has prompted seismic changes in the world of social media.
Twitter, one of the longest-established social platforms, has been a touchstone of online engagement for millions of people and organisations for over a decade, but it suddenly faces a very different future – and some of the biggest changes are in the cyber security field.
Musk has long cultivated a reputation for impulsive statements and spur-of-the-moment decisions that have often landed him in hot water – fans would say he typifies fellow social media baron Mark Zuckerberg’s old motto “move fast and break things” – and, to date, he has brought this attitude to bear on Twitter, dismissing employees left, right and centre, and making sweeping changes before just as abruptly rolling them back.
Among some of the more high-profile incidents to befall Twitter in the past fortnight have been the sudden departures of its chief information security officer (CISO), chief privacy officer and data protection officer, and compliance officer; changes to its blue tick verification system that have resulted in a wave of impersonation of high-profile accounts; and, earlier this week, changes to the microservices used at Twitter – supposedly at Musk’s personal behest – that seem to have caused glitches in the platform’s SMS multifactor authentication processes.
At the time of writing, there has been no major cyber incident or data breach affecting users of the platform. However there is a growing perception that Musk’s abrupt termination of thousands of Twitter employees is causing the platform to fray at the edges as various small technical issues start to mount up.
An ICO spokesperson tells Computer Weekly: “Compliance with UK data protection law should be a high priority for all companies, no matter their size or stature. We will continue to monitor the situation with Twitter as it evolves, and encourage anyone with concerns to report them to us.”
So, in light of the ongoing issues at Twitter, it feels like the right time to consider whether or not the platform remains a safe place for business users, and what organisations can do to protect themselves should the scale of the potential risk increase. In short, should you be clamping down on Twitter?
Trust? Gone
“Much has been said about the psychological safety of using Twitter, both before the current collapse of the moderation and ethics controls as well as after,” says Rachael Greaves, CEO and founder of Castlepoint Systems, an Australia-based provider of information governance and risk management services.
“The culture of the company has always leaned precariously over the chasm of risk while straining to reach the high fruits of market saturation and monetisation, with a culture that has seemed to become more tolerant of potential and actual harm to its users over time.”
Certainly, the trust that users hold in Twitter has been badly damaged, and while it may not yet be irreparable, trust once broken can take years to fix and will be less resilient in future.
“I think trust seems to be diminishing quite rapidly,” says Jake Moore, global cyber security advisor at ESET. “Trust has been so heavily featured at Twitter’s core over the last decade.
That blue tick is very difficult to get….You can’t offer a blue tick like that to everyone. It waters down what verification means Jake Moore, ESET
“People use it to corroborate information, to get news out rapidly, and it has built up a level of trust that many people have confidence in. It seems like a huge change that this trust – which you don’t build overnight – has diminished so rapidly.”
Moore highlights the issues with blue tick verification – turning it from a signal that a user is a trusted voice in their field to an $8 subscription service for anybody who cares to spend the money – as a key factor in the erosion of user trust, and says it has put both brand integrity and reputation at risk.
“That blue tick is very difficult to get. I know of journalists who are extremely high-profile who, until two weeks ago, were still struggling to get it. That in itself gave a certain kudos that Twitter only gave the extra form of verification to those who could verify to the highest degree.
“You can’t offer a blue tick like that to everyone,” he says. “It waters down what verification means. And this grey ‘official’ button? So what was the point? You could even start to question if you can trust accounts you know are official, because we don’t know what their security is like, or what their policies are.”
Defense.com’s Oliver Pinson-Roxburgh agrees the blue tick debacle has been a game-changer in terms of trustworthiness, and is opening the door to other sources of cyber risk to users.
“Rather than being traditionally ‘hacked’ via the platform, the biggest issue comes from adversarial information-based attacks, especially impersonation. When all users gained the ability to acquire a blue tick, a core idea at the heart of Twitter changed…It’s open season for personal and professional spoofing and impersonation attacks. Indeed, one notable change will be that the jump in fake accounts will also increase the likelihood, and bring greater believability to, other informational attacks such as phishing.
“Firms are playing catch-up with this new reality on Twitter. Only recently, someone registered a similar username to pharmaceutical giant Eli Lilly, paid $8 for a blue tick and quickly wiped billions off their share price with a single tweet. There was very little Eli Lilly could’ve done to defend against this attack,” he says.
A legal perspective
Speaking to Computer Weekly on condition of anonymity, one legal expert with a specialism in technology and data protection says they agree with the general sentiment that chaos reigns in the Musk era, but points out that, in reality, we know very little about what is actually going on.
Nevertheless, from a legal perspective it is very clear that Twitter absolutely needs to have key security and compliance leaders in place – it has appointed insider Renato Monteiro as acting DPO, though it is unclear what “acting” means in this context.
Even so, there are increasing legal concerns about Twitter’s data protection compliance and whether it meets the standards of the European Union (EU) and UK General Data Protection Regulation (GDPR).
“Organisations ought to be concerned about Twitter’s data protection compliance, and whether it still takes it seriously in a world where Elon Musk is in charge, but that’s a view based on mood music; we’ve seen no evidence of breaches that have arisen,” the legal expert says.
Nor, they add, is there any evidence that processes within Twitter are slipping in terms of their compliance, simply because too little time has passed since the service was acquired.
“All the indicators are there that bad things are coming, but what they are is anybody’s guess,” they say. “An indicative factor is the sudden departure of data governance and compliance officers. That is a concern. Questions should be posed as to why they left.”
“I wouldn’t be surprised if Twitter found itself an increasing target for nefarious hackers and the equivalent, or people with anti-Musk or anti-US agendas, [or] even disgruntled internal people with a grudge, all of which potentially creates risk exposure for businesses.”
In terms of GDPR compliance, the situation remains highly fluid. During the course of researching this article, suggestions have arisen that Twitter either has fallen or will fall out of compliance with the GDPR’s One-Stop-Shop (OSS) mechanism. This is a clause that allows organisations to engage exclusively with a single lead EU regulator, as opposed to 27 different bodies. In Twitter’s case, its OSS is Ireland’s Data Protection Commission (DPC).
“The issue is if the DPC says we can’t be your One-Stop Shop, Twitter would suddenly be exposed to 27 Member States’ enforcement – and potentially separate enforcement from the ICO – so essentially 28 investigations, which from a legal perspective is an absolute nightmare. It is in Twitter’s interests to keep the DPC happy,” they say.
So, should you quit Twitter?
This is the question many business and security leaders will be puzzling over. Do you pull your organisation’s Twitter presence and risk missing out on the benefits of an active social media presence? Or perhaps a more guarded approach to Twitter usage is in order?
There are many who say this is not necessarily the time to curtail organisational Twitter usage, and nor is it the time to decamp to a platform like Mastodon which, while worthy in its aims, is broadly untested in terms of corporate usage.
“I don’t think it’s time to pack it all in, no. Things change rapidly all the time, and I don’t want to see companies shoot themselves in the foot if Musk has other ideas to sell the platform on, or has something else in mind,” says Moore. “Companies and users alike should err on the side of caution where they can.”
“Don’t rush into anything,” says Elena Davidson, CEO of Liberty Communications, a London-based public relations agency. “Our advice remains to stay firm and not make drastic changes; learn more about the implications of the changes, and don’t change your plans until you are confident in the changes to the platform…Don’t abandon the platform altogether. Take time to develop your strategy based on the facts.”
In the short term, she suggests, it would be wise not to subscribe to Twitter Blue, the paid-for blue tick service, until more is known about what this process entails.
Going forward, says Davidson, it should be impressed on social media teams that there are still plenty of strategies they can deploy to ensure and even heighten trust in their organisations.
“Remember to contribute relevant content backed by third parties which reinforces your brand and credibility,” says Davidson. “Use multimedia such as video and photos to boost engagement and credibility; refer back to other Twitter handles used by your company, executives, partners and customers. This will help build your credibility further. Don’t forget to also cross link back to handles run on other social platforms such as LinkedIn.
Finally, she adds: “Make sure you tag trusted and bona fide third parties in your tweets and posts – this will help further boost your credibility.”
Kaspersky’s David Emm adds: “It is important for businesses to have a clearly defined strategy for corporate use of all social networks, particularly Twitter. This should include who in the business is allowed to have access and use of the corporate account, guidelines in how to use it, including how to respond (or not) to trolls, with an understanding of an escalation strategy to tech teams or legal should it be needed. And finally, the business should review its account security regularly to ensure that the benefits of using the platform aren’t outweighed by the negatives.”
David Higgins, senior director of CyberArk’s Field Technology Office, adds that for some organisations, an even greater degree of caution is warranted: “Those running government social media accounts have reason to exercise caution, given authentication for these is less straightforward. Usually, teams of people within an agency have access to and can post information to these accounts, with passwords commonly shared internally among team different team members and changed infrequently. And that makes them a very easy target for attackers or malicious insiders for disinformation – especially given there is no record kept of who posted what, and when.
Even if the security controls all stay up, the bad actors have smelled the blood in the water and are all swarming Rachael Greaves, Castlepoint Systems
“Security measures for these accounts need to be strengthened, but in a way that doesn’t compromise the speed of critical communications. Options could include eliminating shared credentials, adopting passwordless authentication to access login details, and auditing activity on accounts to monitor for anomalies. Automating credential changes is a must too, so ghost employees can’t abuse old credentials to conduct nefarious activities.”
The legal expert agrees that vigilance is of the essence: “I certainly think caution is merited, along with watching what competitors in the same space are doing and watching what Twitter itself, and the regulators, do.
“The obvious red flags, from the position of a lawyer advising clients in the data protection world, are historic breaches or reports of breaches, typically hacks, potentially leaks [and] potentially the development of products that fly close to the wind in terms of audience segmentation, listing, etcetera.”
For example, they say, if a client came to them and said their marketing team wanted to take advantage of a new product or service that Twitter had developed in the past few days that would let it get the right message in front of the right audience, their first question would be “what have you done to ensure it is compliant?”. If a hypothetical future service was investigated and found to be non-compliant with data protection law, that client would be on the hook for its use of it, and might have to answer to the responsible regulator.
But Castlepoint’s Greaves takes a more hardline view: “With the desertion, or expulsion, of key security teams in the last fortnight, the real concern is that the counterweights balancing risk against value will no longer be heavy enough to protect the user base. These teams were actively working to quash scammers, squash bugs and monitor the threat environment. Even if the security controls all stay up, the bad actors have smelled the blood in the water and are all swarming.
“Eventually, one will get their teeth in. As controls decay, even unsophisticated bad guys may find chinks in the armour. There is a risk here to individuals, who may have sensitive information in private messages compromised. And it’s risky for corporations, whose communications on the platform may be deemed ‘records of business’. Citigroup, Morgan Stanley, Barclays, Bank of America, and JP Morgan have all been fined for allowing staff to use messaging apps – and that’s just from a records compliance angle. What will happen when those communications are breached?
“For now, corporations should follow the SEC and CFTS’s advice, and stop doing business on Twitter. Not just to avoid a fine, but to avoid the reputational damage of a major data spill,” she concludes.
