Twitter's hack just proves that no matter what cutting edge cybersecurity tools you implement, your employees may be your weakest link.
About a month ago, on a random Wednesday, the likes of Jeff Bezos, Barack Obama, Elon Musk, Michael Bloomberg, Bill Gates, and Warren Buffett made out of character bitcoin solicitations for donations from their verified Twitter accounts. In 24 hours, over 383 transactions had been processed and ~$117,000 collected by the scammers.
These verified accounts hadn't been individually hacked though. Twitter, a tech company with an over $30 billion market cap, had been!
While rumors quickly spread about what sophisticated organization or group could be behind it, the truth that unfolded in the following weeks told a simple story of a successful spear phishing attack on a Twitter employee account that unlocked that employee's admin privileges on Twitter's internal management tools. One teenage master mind with the help of two others made targeted phone spear phishing attacks on a specific group of Twitter employees, till they successfully duped one into handing over their password, thus giving them the proverbial keys to the kingdom. They were able to take over these Twitter handles by resetting the password for these verified accounts without triggering a notification to the account owner. What does that teach us?
No matter how powerful you think your security protocols are or what whiz bang technological safety nets you have in place, your employees remain your weakest link. Cybersecurity is a persistent hot button issue with the regulators and so many cybersecurity firms are reaping the benefits with their pricey "full service" offerings. However, if you're investing heavily in some 24/7 monitoring solution without understanding, following, and training your employees on your cybersecurity policies and procedures and how to identify phishing scams, all those security solutions are basically a waste of money. Twitter's latest hack exposes the truth that even those with the deepest pockets to implement the best security tools in the industry are helpless in the face of weak internal controls and an employee falling for a phishing attack.
Much like your general compliance program, your cybersecurity program is about identifying your biggest risk areas and mitigating it through policy, then driving that policy home with training. Just remember, the fanciest alarm system is useless if someone leaves the back door wide open. Twitter's tale of caution should be a reminder to implement proper policies and procedures customized to mitigate the penetration risks unique to your business and to train employees on these policies and prepare them for the sophisticated phishing scams that they may encounter.