Twitter acquisition: what are the consequences for the security of our data?

On October 28, 2022, Elon Musk formally made his acquisition of the Twitter platform. Since then, the social network has had a few weeks full of twists and turns, from laying off half of its workforce to launching a new feature that allows impersonation of multiple people and brands; not to mention accidentally blocking some users who activated the multi-factor authentication configuration. Additionally, several key employees responsible for cybersecurity, privacy and compliance resigned.

At first glance, individual users seem to be the most affected by these disturbances, but what’s happening on Twitter also shows how easily a company’s brand image can change overnight. Thus, this raises some questions about the robustness of the vendor’s security arrangements in the event of a takeover.

Monitoring the activities of software publishers

Although the acquisition of this social network was announced in advance, most of the changes surprised all users: returns in terms of security and privacy policies inevitably affect cyber risk. So it seems important that organizations be prepared to deal with such an event following an acquisition, while considering the security reliance on applications. Additionally, when applications and services change, they need to quickly adjust cloud security controls.

When issues like these arise with a technology vendor that holds enterprise data, teams should interview that partner and develop risk management plans in the following areas: service availability, updates, and changes in interlocutors, which can lead to new obstacles. As part of the shared responsibility model, any organization should have an organizational chart that lists everyone’s controls and responsibilities. The latter can also be flexible, to anticipate any variation in the level of risk resulting from a major change in a supplier. Well-defined, documented and regularly verified processes will allow the company to avoid surprises when faced with this type of chaos.

The safety of current and former employees

The acquisition of Twitter reminds us that employees who store and exchange sensitive data represent a permanent risk for the organization; especially if this information flows across multiple SaaS applications, most of which are unknown, and therefore managed by IT teams. Although, at first glance, allowing the use of a trusted SaaS application without the supervision of IT employees is not as risky as using an untrusted file transfer service with a bad privacy policy, data dissemination only increases the risk that the organization will lose control of it. That’s why many companies limit the unapproved SaaS services their employees can use. In addition, they implement an access policy based on Zero Trust, which limits the amount and type of data sent to these services.

Finally, it is necessary to keep in mind the possibility that one or more of the thousands of dismissed employees, or simply disaffected, may sabotage their service by revealing sensitive data. However, an internal threat, even from an application or cloud service provider, can affect the organization. In addition, employees are not exempted from making an error under the effect of stress or overwork. However, these phenomena can be limited by increasing attention to working conditions.

So, as with any cybersecurity strategy, striking the right balance between the risks involved and the business benefits is essential. As teams continue to consume cloud services at an increasing rate, the events caused by the Twitter takeover can serve to educate boards about cyber risks. Additionally, it will help infrastructure and security managers justify their strategies and ongoing investment needs to secure the cloud and deploy Zero Trust policies.

Leave a Reply

Your email address will not be published. Required fields are marked *