Twitter disclosed yesterday that it had to reset some passwords due to an exploit that really could have hit any company.  In essence, certain visitors to a fake peer-to-peer search engine signed up for an account using the same username and password they used on their Twitter accounts.  The owners of the fake P2P search engine used this information to access the users’ Twitter accounts.  This exploit is not surprising given that a majority of online banking customers reuse their login credentials on other websites.  Accordingly, standing alone, this would have little impact on Twitter’s security standing.  Unfortunately, there have been more incidents.

On January 5, 2009, several dozen Twitter accounts were hacked, including one belonging to our president.  On May 21, 2009, Twitter’s name was used in a phishing exploit that sent users emails notifying them of new followers and included a link to a fake Twitter site.  There were also security incidents in April and June.  In fact, one analyst has gone so far as to claim Twitter’s security posture is weak enough to be called “security Swiss cheese.”

Why pick on Twitter?  Afterall, yesterday our Director of National Intelligence told members of the Senate’s Select Intelligence Committee that  malicious online activity is growing at an unprecedented rate.  As Dennis Blair put it, “in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time.”  

The reason to mention Twitter is because their new user growth has slowed down.  Big time.  According to a Hubspot Report, Twitter’s new user rate of growth has gone from 13% in March 2009 to 3.5% for October 2009 (the last month tracked).  

Although Twitter may have lost steam as a social networking tool simply because the novelty has worn thin, it is also likely the case that its public security failings have slowed growth.  It is very likely that the current stagnation in growth is even worse given that it is estimated about 25% of accounts have no followers and about 40% of accounts have never sent a single Tweet.  Why bother signing up for something you likely will not even use if you are skeptical of its security?   Simply put, there is no reason to take a chance on a new company if public security lapses make you feel insecure about your data.

All of this points to the need for better security; and more importantly, the use of a directed marketing message that highlights security best practices.  This strategy would not only serve to benefit social networking companies.  All companies holding personally identifiable information need to get their network security and privacy (NSAP) marketing message out to potential clients.  In other words, NSAP processes and procedures are not just tied to risk management and compliance, they directly relate to a marketing message that should lead to an increase in profitable new business.

More and more security firms are pushing their products towards the SMB market.  In a recent press release, Blackhat Solutions  looks to sell its services by warning “small to medium businesses of their financial and legal susceptibility in the face of increasingly sophisticated data hacking.”  This is no surprise given Forrester Research projects that about 40 percent of SMBs are planning to increase their IT security budgets for 2010.  In its $1,749 report, Forrester outlines why network security and data security top the IT investment and attention for SMBs.  The goal in increasing funding is to protect data rather than just finding broader operational savings – a past common driver of IT initiatives.

SMBs should also be looking to make a little lemonade with their added expenses.  Why not take this increase in data security expenditure and turn it into a profit-making marketing edge?  Most smaller firms who are able to position themselves as security stalwarts will eventually increase their market share no matter what industry they are in.  It’s that simple.   When building out their enhanced security capabilities, there is no reason SMBs cannot also get this marketing message out to their clients, business partners and employees.

According to the latest Ponemon COB report, data breach attacks have doubled this past year while the average cost of a data breach has increased to $204 per compromised record.  The Ponemon Institute looked at several variables when determining this $204 number, including:  lost business; legal fees; disclosure expenses; consulting help, including forensics; and remediation expenses such as improved technology and training.  Page 16 of the report indicates that lost business is the most significant component of this number – representing $135 of the $204 amount.   In other words, those firms disclosing to the Ponemon Institute information regarding their breach have had a signficant documented loss of business.  In addition to providing this valuable insight regarding brand damage caused by a breach, the report is also instructive given it offers information regarding the causes of 2009 breaches. 

According to this Ponemon Insitute report, data breaches generally have three primary causes:   third party negligence; malicious attacks such as coordinated botnet attacks; and negligent insider behavior.  In fact, the Ponemon Institute points out that 42 percent of all cases in the study involved third-party negligence.  Although this overall number (as well information in the report) is based on information provided by only 45 businesses  willing to speak in detail with the Ponemon Institute, the number should not be taken lightly – especially since it is not that far off from numerous other studies and surveys done over the years. 

The two lessons here – breaches lead to lost business and third-party negligence is a signficant cause of breaches – actually have more to do with marketing then with risk management.  In a prolonged down economy, small and middle market companies need to differentiate by showcasing their network security and privacy strengths.  Instead of shying away from the efforts needed to improve your network risk profile, embrace the endeavor by realizing it will only be a matter of time before you are required to do what you are voluntarily doing now.  As with most corporate best practices, being one step ahead of your competition when it comes to network security and privacy can turn into a significant marketing advantage.  Depending on your business goals and what you do to generate revenue, this advantage can easily turn into a sustained  competitive edge.