The acquisition of Twitter: what are the consequences for the security of our data?
On October 28, 2022, Elon Musk formalized his takeover of the Twitter platform. Since then, it’s been a few weeks full of twists and turns, from the social network laying off half its workforce to launching a new feature that allows impersonation of multiple people and brands; not to mention the accidental blocking of some users who have enabled multi-factor authentication configuration. In addition, several key employees responsible for cybersecurity, privacy and compliance have resigned.
At first glance, it’s individual users who are most affected by these shakeups, but what’s happening on Twitter demonstrates how easily a company’s brand image can change overnight. Thus, this raises a number of questions about the stability of the seller’s security measures in the event of a purchase.
Monitoring the activities of software publishers
Although the acquisition of this social network was announced in advance, most of the changes surprised all users: reversals in terms of security and privacy policy inevitably affected cyber risk. Therefore, given the dependence of security on applications, it seems important that organizations are prepared to face such a possibility post-purchase. Additionally, they must be able to quickly adjust cloud security controls as applications and services change.
When issues like this arise with a technology vendor that stores enterprise data, teams should interview that partner and develop risk management plans in the following areas: service availability, updates, and changes in partners that may introduce new obstacles. As part of the shared responsibility model, any organization should have an organizational chart that outlines the controls and responsibilities of each. The latter can also be flexible to anticipate any change in the level of risk resulting from a fundamental change in the supplier. Well-defined, documented and regularly audited processes will thus ensure that the company is not surprised when it encounters such upheavals.
Safety of current and former employees
The acquisition of Twitter reminds us that employees who store and share sensitive information are a constant risk to the organization; especially if that data flows through multiple SaaS applications, most of which are unknown and therefore managed by IT teams. While at first glance, allowing the use of a trusted SaaS application without IT staff oversight is not as risky as using an untrusted file transfer service with a poor privacy policy, data disclosure only increases the risk of an organization losing control. he Because of this, many companies limit the unapproved SaaS services that their employees can use. In addition, they implement a Zero Trust-based access policy that limits the amount and type of data transmitted to these services.
Finally, one must consider the possibility that one or more of the thousands of employees who are fired or simply disgruntled may sabotage their service by disclosing sensitive information. However, an insider threat, even from a software or cloud service provider, can affect an organization. In addition, employees are not exempt from making mistakes under the influence of stress or overwork. However, these incidents can be limited by increasing attention to working conditions.
So, as with any cyber security strategy, striking the right balance between the risks involved and the benefits to the business is critical. As teams continue to use cloud services at an increasing rate, the events surrounding the Twitter takeover can serve to educate boards about cyber risks. In addition, it will help infrastructure and security managers justify their strategies and ongoing investment needs to secure the cloud and implement Zero Trust policies.
