Twitter’s Whistleblower Allegations Are a Cautionary Tale for All Businesses

Today, the mere threat of a breach can crush your business. The Twitter whistleblower saga shows that after years of indifference, customers are sensitive to even rumors of data breaches. A few years ago, PR teams could paper on a small break and clients would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed lightning couldn’t strike twice.

However, times have changed, so how can you protect yourself… and even turn privacy and security into an advantage? The companies that win will take small steps, transparency and the right partners.

Ex-Twitter Exec Blows the Whistle

The Twitter whistleblower story will change how the news industry reports on security and privacy going forward. Just as ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories will become mainstream news. Even if your business isn’t as high-profile as Twitter, the floodgates are open.

Also, Twitter history shows that you don’t have to be broke to break the news. Former Twitter security chief Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter’s security and privacy policies and execution. While there have been well-known Twitter hacks, Zatko’s most forceful criticism is about Twitter’s security state. In his nearly 200-page report to federal regulators and the Justice Department, the most serious allegations are that Twitter gave ordinary employees access to key controls and sensitive information without adequate oversight.

It doesn’t matter if the accusations are true

If a reporter asked, “Who has access to your data,” could you answer? Do you want to reply? You will be judged in the court of public opinion before you can defend your security position. I have no inside information on the Twitter case, but it doesn’t matter if it turns out to have gross violations of standard security protocols. There will be a large contingent who already assume this information is true.

After so many high-profile breaches (Target, Adobe, Yahoo and more), companies are considered guilty until proven innocent. Unfortunately, it is almost impossible to prove innocence, since you cannot prove the absence of a breach. Besides, even if you could, when you could prove that you haven’t been breached, the news machine has already moved on. You cannot react quickly enough to counter the rumours.

Why are customers so sensitive to privacy?

Everyone knows that companies collect huge amounts of personal data. Clicking on the GDPR-inspired “Track my data” buttons may be a reflex, but we understand that we are always being tracked. Customers accept that their suppliers store their personal data, but they expect the company to protect their information.

Unfortunately, cybercriminals target personal customer information. Identity theft, spam, phishing, ransomware and other attacks are not just theoretical. Everyone knows someone who has been affected.

With more data and more threats, every customer is vulnerable to breaches. Corporate data breaches lead to fines, damaged reputations and loss of customer trust. Businesses are desperate to secure their data because it is the difference between survival and failure.

How to protect yourself: Transparency

The only way to survive is to be transparent about your data handling. Most organizations hesitate to talk about security and privacy because they know there is a gap between what they are doing and what they should be doing, but everyone is in the same position. Therefore, whoever steps into the light will immediately take the lead.

When you make yourself publicly accountable, you should:

  1. Make a concrete, achievable plan. Focus on the most business-critical data and risk areas. Create a short- and long-term plan so that your internal team and external customers buy in.
  2. Create regular public reviews. Most organizations review their security and privacy posture with executives and the board of directors. Run the same review with the entire company so employees can participate and see that you care about the mission.
  3. Get certified. External auditors and certifications show that you are willing to hold yourself to a high standard and that you are not hiding anything. Nobody likes being audited, but it keeps you honest.

Remember, you’re never done

Threats and expectations continue to evolve, so you must also continue to upgrade your security plan. Since most companies won’t give you an unlimited budget, you’ll need to plan how you can do more with less

  1. Offload work: You don’t have to do all the work on your own. The days of “Do It Yourself” security are over. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
  2. Use savings to fund initiatives: Most teams are looking to push suppliers for better discounts, not update assets or overwork their team. Smart teams look for holistic savings. For example, advances in security and privacy should reduce cyber insurance premiums.
  3. Save less data: Most companies want to save all their data, messages and emails forever. Not only is this approach expensive, but it also creates almost unlimited legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.

Start today

The best way to start protecting your company’s reputation is with a single task. Choose one data set – a business-critical application, your CRM system or your backups. Find out who has access to them. Make a plan to make them safer. Then share that plan with your colleagues and hold yourself accountable.

Twitter’s security issues cover the news. When even a rumor can destroy your business, this is no time to wait for consultants and focus groups. Now is the time to make your part of the world a little bit better, every day. Shine a light on how to protect your data and your customers will trust you.

William

Leave a Reply

Your email address will not be published.