Manage Learn to apply best practices and optimize your operations.

Should enterprises be concerned with Twitter in the workplace?

Expert Michael Cobb explains how concerned you should be with Twitter use inside the company.

From a security perspective, how concerned should enterprises be with the use of Twitter in the workplace?
I've come across some organizations that make great use of Twitter, the popular micro-blogging social network. The companies have agreed on an acceptable usage policy with their employees, and that policy is strictly enforced. Employees have no doubt as to what they can and can't say and do when using Twitter. Web-monitoring tools, such as the Web Security Gateway from Websense Inc., ensure policy breaches are detectable so that disciplinary steps can be taken.

This type of approach to Twitter and other Web 2.0 tools allows companies to safely harness the speed and flexibility these services provide. There's no doubt many people find them to be a productive form of communication. I think an essential step when embracing Twitter and other new technologies is to make everyone aware of their potential risks and the purpose of an acceptable usage policy. Not everyone in an organization will need access to Twitter, and firewall rules should control who has access and at what times. People are far less likely to try to circumvent such restrictions if they understand the logic behind them. Due to the increasing use of social engineering-based attacks against Twitter users, it's important to regularly remind staff of the social networking dangers. Those in charge of communicating policy should highlight the types of content or requests that must be treated as suspicious. Twitter's relaxed style shouldn't mean relaxed security.

Enterprises that don't work to control Twitter in the workplace and give employees unfettered access are certainly putting their systems and data at risk. Because Twitter's creators have focused on making the service easy to use, they have gone a bit too easy on security, in my opinion. As I'm sure you're aware, there have been numerous successful hacks on Twitter and its users, not to mention the recent denial-of-service attacks on Twitter. Although Twitter Inc. reacts quickly to any breaches it discovers, there is the additional risk from the many services built on the Twitter API that uses Twitter passwords for authentication. Even if Twitter was to improve its authentication, phishing scams would still be possible.

I think phishing will always be a big problem for micro-blogging sites like Twitter, as there has to be a certain level of trust involved when people are sharing links, particularly shortened links that lead users to unknown destinations. TinyURL is the most common link-shortener URL you'll see on Twitter, as well as one of the easiest ways for a malicious user to expose users to attacks, ranging from phishing scams to malware installs. (At least the Bit.ly URL-shortening service provides a Firefox plug-in that allows a user to see where short URLs link to, including site page titles.)

Unless an organization has the infrastructure and resources to enforce safe and sensible usage of Twitter, I think the site opens too many attack vectors against your employees to warrant its use. At the end of the day, do your employees really need Twitter to be able to perform their jobs?

This was last published in August 2009

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.