Lessons from the Twitter Hack

Employees continue to be one of the biggest problems facing organizations when it comes to cybersecurity and data privacy. No matter how expensive or comprehensive a company’s technological infrastructure, the human component is still the biggest threat. Employees inadvertently click links, unknowingly download files, plug in potentially infected USB drives, and thoughtlessly put personal information on social media platforms for hackers to collect and exploit. If the recent data breach at Twitter has shown us anything, it is that cybersecurity and data privacy are issues for every department at every level and must be strategically executed every day. In other words, cybersecurity and data privacy is a corporate issue from top to bottom, and bottom to top, commanding attention from all organizational levels. 

What happened at Twitter? 

In mid-July, Twitter was faced with an enormous challenge as numerous high-profile Twitter accounts, including former President Barack Obama, former Vice-President Joe Biden, Jeff Bezos, and Elon Musk were compromised in a very public way. It appeared that these individuals were posting scam-filled messages from their accounts. The reality is that a hacker was able to gain access and control of those accounts through Twitter’s own employees. Twitter issued a statement announcing that it was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” In fact, forensic investigators later found that at least one employee’s account and credentials were hijacked and taken over, thereby allowing access to an internal dashboard whereby the infiltrator was able to control approximately 130 Twitter accounts. 

Last week, a 17-year old was allegedly charged as the “mastermind” behind the hack and the U.S. Justice Department issued a press release that two other individuals were also arrested in response to the hack. 

However, that is not the end of the road for Twitter’s troubles that stem from this breach. Just last week, Twitter updated its quarterly filing to reflect the impact of this data breach. Twitter reported that the data breach could impact market perception of the effectiveness of its security measures and worried that consumers could lose confidence in Twitter making it difficult to attract new users, especially high-profile users. 

What is the solution?

In one word – Training

Simple, right? Most organizations will say that they have a training program. Nonetheless, in most cases, that training relates to general cybersecurity best practices in an effort to check the proverbial box that the company in fact does training. If you follow our blog regularly, you know that we discussed training in detail both generally and in the context of privacy regulations like the 2018 California Consumer Privacy Act. In light of the increasing frequency and sophistication of successful cyber breaches, training on how your organization operates is more critical now than ever. 

What are the basic steps an organization can take to start? 

First, an effective training program needs to have a human component. The irony is not lost that humans are both the problem and the solution. However, having employees mechanically watch training videos does not equate to effective training. They are too easily distracted due to a lack of simple accountability. 

Second, training on your organization’s practices and how cybersecurity and data privacy are ingrained into those practices is critical. Basic training is like a basic band aid. It does not delve into how privacy and cybersecurity are impacting your organization, nor will it ensure long-term stability in the company’s cyber defense plan. Having a tailored training program, and not an off-the-shelf version, highlights the importance of cybersecurity and data privacy to not only a company’s employees but also to its customers as well.

Third, it is essential to operationalize that training program across the entire organization. Actively engaging each department and the employees in the process. Making employees part of the ongoing solution allows them to be more deliberate in taking care to avoid being the problem or initial point of entry for a hacker. Employees who have a stake in a company’s security and believe in what they are doing are ones that help solidify a company’s cyber readiness. More importantly, it demonstrates a real commitment to cybersecurity and data privacy and not just a passing nod. 

Learning and Evolving to Meet the New Cyber Challenges

As is true to form, every organization will understandably handle cybersecurity and data privacy differently because each company’s organizational structure is unique. Using straight from the box solutions is never highly effective nor efficient in the long-term because those solutions cannot account for the nuances and demands present in every business model. Straight from the box solutions just end up costing a company more money and divert critical resources that could have been used more prudently elsewhere. 

Creating a tailored program specific to your organization and training on that program can mean the difference between having a successful cybersecurity and data privacy defense program and being, well, the next headline behind Twitter. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.