This type of approach to Twitter and other Web 2.0 tools allows companies to safely harness the speed and flexibility these services provide. There's no doubt many people find them to be a productive form of communication. I think an essential step when embracing Twitter and other new technologies is to make everyone aware of their potential risks and the purpose of an acceptable usage policy. Not everyone in an organization will need access to Twitter, and firewall rules should control who has access and at what times. People are far less likely to try to circumvent such restrictions if they understand the logic behind them. Due to the increasing use of social engineering-based attacks against Twitter users, it's important to regularly remind staff of the social networking dangers. Those in charge of communicating policy should highlight the types of content or requests that must be treated as suspicious. Twitter's relaxed style shouldn't mean relaxed security.
Enterprises that don't work to control Twitter in the workplace and give employees unfettered access are certainly putting their systems and data at risk. Because Twitter's creators have focused on making the service easy to use, they have gone a bit too easy on security, in my opinion. As I'm sure you're aware, there have been numerous successful hacks on Twitter and its users, not to mention the recent denial-of-service attacks on Twitter. Although Twitter Inc. reacts quickly to any breaches it discovers, there is the additional risk from the many services built on the Twitter API that uses Twitter passwords for authentication. Even if Twitter was to improve its authentication, phishing scams would still be possible.
I think phishing will always be a big problem for micro-blogging sites like Twitter, as there has to be a certain level of trust involved when people are sharing links, particularly shortened links that lead users to unknown destinations. TinyURL is the most common link-shortener URL you'll see on Twitter, as well as one of the easiest ways for a malicious user to expose users to attacks, ranging from phishing scams to malware installs. (At least the Bit.ly URL-shortening service provides a Firefox plug-in that allows a user to see where short URLs link to, including site page titles.)
Unless an organization has the infrastructure and resources to enforce safe and sensible usage of Twitter, I think the site opens too many attack vectors against your employees to warrant its use. At the end of the day, do your employees really need Twitter to be able to perform their jobs?
This was first published in August 2009