The news that a whistleblower accused Twitter of severe cybersecurity negligence hit the internet by storm in late August of 2022. Though the story is new and unfolding, no one in the industry can deny that this is big news.
While Twitter denies the claims of cybersecurity negligence, this whistleblower’s grievances can be an excellent reminder to us all that cybersecurity cannot get moved to the back burner, even when there are endless alternatives fighting for attention.
So whether these allegations are accurate or not, let’s go through the alleged mistakes that Twitter made and how you can avoid these mistakes within your company practices.
Here is a breakdown of what we can learn from the Twitter cybersecurity misconduct allegations.
First things first — what happened?
According to a scathing whistleblower disclosure, Twitter has significant security problems that pose a threat to users, company shareholders, national security and democracy. The 200-page disclosure lays out details on alleged mistakes made as well as Twitter’s attempts to cover up these vulnerabilities.
With specific timelines, exhibits and names, this disclosure is not being taken lightly by the cybersecurity and tech industry.
While Twitter has shared a formal comment that denounced the whistleblower and disclosure, many government officials believe that the information included in the disclosure is sufficient grounds to investigate the claims.
Who is Peiter Zatko?
Peiter “Mudge” Zatko is a well-known hacker who has been a big player in the game since participating in the first congressional hearings on cybersecurity in 1998. After a devastating hack in 2020 that compromised the Twitter accounts of famous people, including President Joe Biden, former President Barack Obama, Kim Kardashian and Elon Musk, Twitter hired ethical hacker Zatko as an exec.
Zatko was fired from his position before this disclosure came out, which Twitter said was on the grounds of poor performance. However, Zatko believes that the decision to let him go stemmed from his bringing up these grievances in internal communications.
Is the information in the disclosure accurate?
In short, it’s too early to say. There is sure to be more information to come out during a lengthy investigation, and we won’t have concrete answers for a while.
But that doesn’t mean that the information in the disclosure can’t be helpful. The mistakes and negligence laid out by Zatko in the whistleblower disclosure can act as reminders for all of us of what happens when we don’t prioritize cybersecurity processes. Many of the grievances laid out are simple fixes for most companies — so consider this list a reminder to analyze how your company protects its system from malicious attacks and damaging user error.
Here are the most damaging claims laid out in the Twitter whistleblower disclosure.
What can we learn from Twitter’s alleged cybersecurity negligence?
Make sure employees understand cybersecurity best practices
Many of the claims Zatko made concerned less-than-ideal practices being performed by employees on work devices. Since many work computers contained access to valuable Twitter internal data, the lack of cybersecurity processes could be a glaring issue.
One of the most simple, actionable and effective cybersecurity tools is effective communication and training between all levels of the company when it comes to cybersecurity parameters. Making sure everyone understands and enacts the protective processes you have in place will minimize any weak links in your armor, as well as communicate the high priority of these protections.
When everyone has these precautions front of mind, you can limit malware, vulnerabilities, phishing scams and compromised accounts that can wreak havoc on your system.
Have a strategy in place to identify malicious employee activity
Zatko alleged that because Twitter failed to monitor employee activity on work devices, many employees were found to be intentionally installing spyware per the instruction of third-party players.
We can learn two things from this allegation: understanding how to monitor employee activity and having a streamlined plan in place for offboarding an employee when malicious activity is identified.
We all want to trust our team to the fullest extent, but the expression “hope for the best but prepare for the worst” stands true when keeping an eye on your team’s activities — especially when working with a large group of employees. You can instill mutual trust in your employees while having the tools to keep an eye on things. The key is to strike a balance between respecting employee privacy and safeguarding the internal company data. Each company may require a different strategy, and it’s your job to find the right balance for yours. Limitations on and IT notifications for third-party downloads can limit both malicious activity and innocent errors alike.
When an employee is caught engaging in malicious activity that can put the company at risk, having an immediate, streamlined offboarding process can minimize risk and take access away at a moment’s notice.
Leverage a tiered access strategy
Zatko lays out that thousands of employee laptops have unlimited access to Twitter’s complete source code, as well as the ability to alter it. He alleged that over 5,000 full-time employees had full, unmonitored access to Twitter’s internal software, allowing them to access and modify sensitive data.
There are a lot of wrongs that can come with offering unbridled data access to all of your employees. Disgruntled employees have much more to work with if they want to cause inconvenience. Hackers that have access to compromised accounts can exploit valuable info as they see fit.
When setting up access to company data, consider a tiered access strategy, so all employees only have access to the information they need to conduct their jobs. Not only does this minimize the chances of hackers gaining access to high-level accounts, but it also helps to simplify the process of identifying compromised information.
Monitor and mitigate vulnerabilities
The disclosure states that Zatko found several vulnerabilities that would have acted as efficient backdoors for any hackers that found them.
Companies that house sensitive internal, client and third-party data have a responsibility to protect that information to the best of their ability — and having resources to catch any potential attacks is at the forefront of a cybersecurity strategy. Tools and services like patch management, network monitoring and an effective IT support team can find and stop problems and vulnerabilities before they impact your company.
Consistently update software
Zatko allegedly discovered that half of the company’s 500,000 servers use outdated software that does not support basic security abilities, such as encryption for stored data, or no longer receive regular security updates from their vendors.
Consistently updating all software, applications and third-party tools is one of the simplest ways your company can avoid cybersecurity vulnerabilities and bugs. There are even ways to automate this process, so you don’t need to think about it but still get all of the benefits of leveraging the most current applications and software connected to your network.
Practice proper data storage
A specific example mentioned in the disclosure goes over grievances that Twitter does not reliably delete users’ data — including direct messages — after they cancel their accounts. It also alleges that the company had lost track of the information in some cases.
Having a specific process in place for storing, archiving and managing data is crucial to keeping information protected, organized and prioritized. Secure cloud storage is a great way to keep data protected, but the story doesn’t end there. A universally-understood organizational strategy, from a strict naming hierarchy to consistent storage cleanup, can reduce confusion and keep data storage easily navigable.
Want to avoid these mistakes? Rely on the Professionals.
A long list of security measures and responsibilities can help protect your data, and it can be overwhelming to take it all on internally. MDL can assist in boosting your cybersecurity strategy, so you can rest easy knowing your sensitive info is in good hands.
Many assume that outsourcing their technology needs comes with a hefty price tag. However, with affordable solutions for businesses of all sizes and industries, MDL Technology is there for your IT needs every step of the way. Contact us today to learn more.