Written by Jake Plenderleith on Monday July 20, 2020
The cyberattack directed at Twitter last week was the online equivalent of an explosive device being detonated.
Around 130 high-profile accounts were hacked last Wednesday in an attempt to solicit bitcoin. Barrack Obama, Bill Gates, Apple and Uber were among those targeted in an attack that lasted just thirty minutes. Access is thought to have been achieved internally through Twitter’s administrative panel, perhaps with the assistance of an employee.
As legions online unpack the details of this brief but effective attempt, there are some crucial and unforgettable lessons for compliance professionals that must be digested and understood.
The first is to recognise the hackers’ remarkable success. The attack worked. Around $120,000 worth of bitcoin was fraudulently obtained. This is actually a relatively meagre amount, considering the cumulative number of followers for each account easily surpasses 100 million people. The consensus is that this cyberattack could have been a lot worse.
What this demonstrates is that an attack needn’t last very long, nor be swallowed by very many people, for it to be damaging. Apple is one of the world’s richest firms. A smaller attack on any other company could be life threatening. This is an excellent point to underline when stressing the fundamental importance of cybersecurity in your firm.
The second consideration to bear in mind is the celebrity and renown of those targeted. It is particularly embarrassing for Twitter that the accounts belonged to the world’s most recognisable brands, firms and faces. The implications are disturbing – had Donald Trump been targeted – and it seems that he wasn’t – then the direct messages of a sitting US President would have been exposed, with unpredictable results.
For firms, this is a reminder that no one is exempt. Indeed, it is troubling to recognise that the planet’s most successful companies and richest people are vulnerable online – and even more alarming that it happened at a tech-savvy company like Twitter.
This doesn’t mean that we should be fatalistic (‘If Apple can’t protect themselves, then how can we be expected to?’). What it means is that we must be constantly aware of the threat, and be vocal in expressing the constant need for re-evaluating cybersecurity.
This ties in to the third point, which is that such attacks have a real cost. Twitter’s share price actually dropped in the wake of the hack. For organisations that do not have Twitter’s clout (i.e. around 99% of firms) this is sobering. Again, this is not a reason to despair, but should be a touchpoint to those reinforcing the cybersecurity message.
The fourth point to take on board is the threat of social engineering. This appears to be the means by which the hackers gained access. Social engineering might justly be described as the Achilles heel of any cyber defence. As we are all human, it is likely to be a perpetual problem. The best means of avoiding it are by a. imposing further obstacles that make access via someone’s details less effective and b. constantly (but engagingly) reminding employees of the danger.
There’s very little that we can predict with any confidence, but we can be sure that there will be more attacks like this to come. Far from meekly accepting them as an unwelcome inevitability, a number of things can be done to combat it.
The first, and most straightforward, is: spread the word.
Cases like that which struck Twitter provide the ideal context in which to reinforce cybersecurity messages with your firm. This was reflected in comments by Andrea Barisani, Head of Hardware Security at F-Secure, who claimed he was actually happy that ‘the problem was used in a very vocal and obvious way rather than something really subtle’.
Barisani’s point is that the very public nature of the attack has drawn attention to cybersecurity, and gives others the chance to re-examine their own defences. It is the perfect example to which a chief security officer can point to when they go to their boards asking for more resources and support, for example.
The second is more practical: re-evaluate security.
This will involve an audit of existing defences, identifying weak spots and making sure robust measures are reinforced. This is a good opportunity to ask questions and probe into cybersecurity that you might already consider secure and asking yourself ‘is this really good enough?’.
Now that many are now working from home, this question has acquired a new significance. Though working from home has many advantages, one if its chief disadvantages is that remoteness can easily become sloppiness in terms of cybersecurity. To address this, employees need to be made aware of just how easily information can be obtained, and the means by which they can protect themselves and their firms. That many employees are likely to have a Twitter account themselves means that this case study should carry an extra resonance.
Further details of the cyberattack will no doubt be revealed in the days to come. It is imperative that, whatever these details reveal, the Twitter attack should act as a lesson and a guide for cybersecurity professionals.
The very least we can do is to disseminate this message for absorption. Every one of us, after all, is on the cybersecurity front line.
 Reuters, ‘Twitter says about 130 accounts were targeted in cyber attack this week’, 17 July 2020: https://uk.reuters.com/article/uk-twitter-cyber-accounts/twitter-says-about-130-accounts-were-targeted-in-cyber-attack-this-week-idUKKCN24I0F3 – accessed July 2020
 Wired, ‘The Twitter Hack Could Have Been Much Worse – And Maybe Was’, 16 July 2020: https://www.wired.com/story/twitter-hack-could-have-been-much-worse/ – accessed July 2020
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.