Cybercriminals follow social networking sites with a passion because they see in Twitter and other social networking sites a huge opportunity to make money and commit fraud. Although spammers, scammers and malware creators are the root of the problem, end-users of the service are equally dangerous because, ultimately, it is what they do with Twitter that counts. If Twitters paid attention to what they are doing, listened carefully to warnings from security experts (their IT team at work) and did not trust every follower who sent them a message, there would be no reason to be concerned.

Unfortunately, humans are the weakest link in the security chain. Add to that a lack of education and little or no awareness of security and you have the right combination for something to go wrong.

So what are the risks and what can organizations and users do to limit such risk?

 The Risks

Data leaks of confidential or proprietary information: Corporate organizations are constantly trying to reduce the channels through which information could be leaked. There are numerous ways to update your Twitter account so it is impossible to block access all the time. The information that could be leaked includes identity theft, credit card fraud, business plans, confidential data, information about facilities, availability of personnel or their schedules.

Malware and viruses: Malware creators see Twitter an as excellent opportunity to spread malware. The use of abbreviated URLs makes it easy for the bad guys to mask links to infected sites and to redirect users to websites that they would think twice about visiting. The setting up of fake services could be used to collect credentials and information from that user.

Applications: Users put too much trust in both the people following them and the applications that are easily distributed. These applications, which may be insecure, could be used to steal accounts.

Improper use: Twitter makes it so easy for people to inform their friends and extended network of contacts about what they are doing, where they are and so on. Impulse messaging can be dangerous especially if the user is irate and doesn’t stop to think about the repercussions of his or her tweet. Sending inappropriate tweets is not recommended. From a corporate perspective, employees can be a threat if they post information that could impact negatively on the business, hurt its integrity. A wrong post picked up by such a wide audience could become a PR nightmare for that business.

Customer care: As more and more organizations set up their own accounts and encourage customers to keep in touch, businesses need to be careful how they deal with disgruntled customers who may use Twitter to discuss a negative experience they had. With only 140 characters at its disposal, a business should avoid getting into a slanging match with an unhappy customer on Twitter and encourage the client to use traditional customer care channels. Take the conversation offline.

How to counter the risks?

Every business or organization which uses Twitter (or any other social media or networking site) should have a strong policy in place (and enforced) that clearly states how it should be used by employees.

They need to be aware of the consequences of sending out seemingly innocent tweets which could still get them into deep trouble. In December 2009, a Vodafone employee was fired after his post was deemed by the company to go against fair competition. Drastic? Maybe, but it showed that even a humorous post could backfire.

Some basic rules include:

1. Think twice before posting. Employees need to think compliance, integrity, security… then post.
2. Access URLs in tweets with care. If there is no real need to check out the site, leave it.
3. Show employees what to look out for. How to notice when someone is stalking or attempting to social engineer information.
4. Avoid confrontation on Twitter. It is a great tool for customer feedback but a disaster in resolving issues.
5. Create a policy in a language that is understood by employees. Have them sign it. There should be no excuses that they did not know what they could or could not say.

I think the turning point was a book I read – ‘The Undercover Economist’.  Fast forward a year after reading that book … for our Break Fix customers – we had a ‘Now fee’. 

‘Hi, yes of course we can fix your Exchange Server, but unfortunately, our tech’s are busy working on other problems right now.  How many users are without email?  50, ok, I hear you. We’ve a slight problem though, all our senior techs are busy.  However, we do have a ‘Now Fee’ option of £200, this covers their overtime tonight to catch up if we pull them off what they are doing and on to your problem.  You’re OK with that, great!’

Now clearly, the £200 can become £400 or more depending on the impact of the problem, and because our techs were always busy, we always offered and frequently charged break fix customers for it. 

The ‘Now Fee’:

• Earned us lots of money easily (it was more costly for more value)
• Had the effect of making our fixed monthly cost support arrangements become more attractive   
• And, if customers elected not to pay – they waited (and didn’t complain). 

It’s a scientifically proven fact that people tend to adopt a ‘herding instinct’ in times of uncertainty. I think the decision process goes something like this:

‘Jeezo – I’m worried. The quickest way I can arrive at a decision is to check what everybody else in the same situation is doing.  Plus, perhaps they know something more than I do anyway. So I’ll just check what everybody else is doing and do the same.’

Sometimes people even just do what others are doing without knowing why or just because it seems like a good idea, for example:  people walking past an accident without stopping, ‘runs on banks’ or this one that Seth Godin posted.

The current ‘Economic Storm’ is undoubtedly a point where people re-evaluate. Perhaps you can use this to your advantage and marry the two together.  How about a message like this to potential clients:

• Since the start of 2009, XYZ IT Services has doubled our customer base.
• These new customers cite better value, our superior organisation to deliver what they really need and stronger relationships as three primary reasons for moving to XYZ IT Services for their IT expertise.

• Monitoring System
• Remote Support & Management Tools
• Helpdesk System
• CRM/Purchasing/Logistics System
• Billing / Financial System
• Performance Review System

I used to spend a lot of time looking for ONE system which linked everything together. A system which encapsulated the way we wanted to do business, a system which allowed us ‘wiggle-room’ as we learned and a system which allowed us room to grow. And of course, I didn’t find one.

I see recently that vendors who provide software to our market have ‘twigged’ and are trying to do most of these bits now and some have even coined the phrase ‘ITRP’.

It’s a step forward, or is it?

With the benefit of hindsight, it strikes me these systems are written from the IT Support Companies/MSP’s perspective. This is, of course, the wrong place to start; systems (and software) should be written to deliver what your customers need you to deliver.

When I was running this IT Support operation, I accidentally met (and used) a consultant, a very clever one. He knew about ‘lean’ and ‘value’ relating to services. As an example:  he distilled down on parts of our business (one at a time), such as our IT Support/Help Desk.  He determined this was our value (as stated by our customers):

‘Fix my problem accurately and quickly, fix it first time. Tell me what the problem was and tell me what I can do about it in the long term (if I need to know)’

We (slowly) re-engineered our Help Desk (and its systems) to deliver what our customers really wanted and changed our systems to measure the following ‘Leading Measures’:

• Report to Resolution time (User Reports until the time we Resolved it, and by resolved it, I mean fixed the customer, not the problem and given him the long term perspective (which is of course our sales opportunity). We shortened the time and found more sales opportunities.
• First Time Fix – If we ‘handed the customer off’, i.e.: didn’t select the right guy in our company to fix it and had to get another guy involved, wasting the customer’s time.
• Accuracy – Number of cuts we had at getting it right. We cut this down massively by removing confusion and focusing on predictability.
• Communication -we measured this by ‘failure demand’, i.e.: our failure to communicate or do what our customers wanted, which resulted in them phoning, emailing or chasing something. By working on this we reduced interruption, context shifts & fire-fighting.
  We looked at what stopped us from delivering what the customers wanted and concluded that part of the problem were limitations imposed on us by off-the-shelf software and in some cases these were stopping us from working the way we needed.

And by the by, it mostly turned out we actually needed more simplicity. For example, in the end each Request in our system had only four states:

• Reported (Reported or Requested by customer, monitoring. Scheduled work).
• Technical Work Complete
• Customer Informed
• Long Term thoughts communicated.

We had a dashboard where everybody could visualise the queue of work and which of the four states each request was in.  We measured throughput and NOT billable time, hours, etc.

In essence, we focused in, on, and improved what the customers wanted (leading measures) safe in the knowledge that success (lagging measures) would follow automatically: Profit, Billable Hours, Efficiency, etc.

In the end our systems became simplified (and cheap). Our profit went up. Our business grew very quickly. All the best technical guys in our region wanted to work for us.

MSPs – Begin at the Beginning NOT with what a software sales guy tells you is important.  Begin with what YOUR customers want you to do and work backwards from there.