AP's Twitter hoax a wake-up call for all

The brief hijack of Associated Press' Twitter account managed to take Wall Street for a $200 billion ride, but the incident does more than just highlight the deficiencies in Twitter's security protocols.

Forrester Research

Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk.

The problem is, when it comes to social media, these two facets of the organisation need to come to terms with each other – and this was clearly on display earlier this week when the Dow Jones briefly plummeted over 100 points due to false tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.

This recent breach signifies two things:

  • The potentially damaging impact of social media is real and growing.
  • Companies today aren’t doing enough to mitigate the risks.

As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behaviour continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand.

Companies need to do more to protect their organisation from social media risk because Twitter account hacks are now “business as usual” for the social network. It seems every week there is news of another Twitter account hack (see CBS 60 minutes, Burger King, Jeep, not to mention Twitter’s own breach).

Clearly, Twitter needs to do more to enhance its own security protocols -- two-factor authentication is sorely missing from the social network’s arsenal – but Twitter can’t take all the blame. Companies need to accept the existing limitations of the social network and reinforce their social media efforts with better security practices of their own.

There are relatively easy ways to reduce the risk. The frequent Twitter account breaches also signify a larger trend of poor security behaviour when it comes to social media. Easily discoverable passwords, shared accounts, minimal governance, and no security oversight are common reasons why recent social media hacks were successful.

An effective spearphishing campaign opened the gates to the Associated Press Twitter account. These are relatively easy issues to fix, especially when you consider some of the much more complex security threats that exist today. They’re not completely solvable, but basic security protocols, such as using strong passwords, restricting access rights, and better awareness training would vastly improve your security posture.

Security and risk pros avoid the conversation today. Still too often S&R pros seek reasons to block social media altogether at the company and do not try to join social media strategy discussion. As much as they would like to do this, completely blocking social media isn’t practical or effective. Moreover, current security awareness efforts that can promote and educate the company on effective security behaviour are insufficient and often seen by the security team as unimportant.

In fact, according to our Forrsights Security Survey, security awareness initiatives fall towards the bottom on a long list of security priorities (10th on list of 15 possible initiatives).

The AP hack isn’t just about Twitter; it’s about your own security and protecting your own company’s brand and reputation. The only way this can happen is if security and risk management become regular parts of the social media conversation, and conversely, when the security and risk management start to value social media as an important business tool with real benefits, and real consequences.

Nick Hayes is a Forrester researcher serving Security & Risk Professionals. His research is dedicated to the organisational and strategic elements of building a successful governance, risk management, and compliance (GRC) program, including a focus on culture, communications, and other human aspects of GRC. This article was originally published on the Forrester Blog Network. Republished with permission.