The problem, in a nutshell, is that Twitter was never designed for this. Like so many other things on the Internet, it was intended as something relatively simple for ordinary users—in this case, an online replacement for mobile text messages. But the combination of potentially instant response and the fact that Twitter is free made it perfect for everything from customer service to group chats, at least in the eyes of budget-strapped corporate users. Could anyone have intentionally designed an Internet boobytrap more potentially devastating? Probably not.
The new Hootsuite/Nexgate tools add in much of the management capability that Twitter never had because it was never intended for anything but friendly chats in a crowded virtual room. That includes a system for moderating tweets before they're broadcast, automatic scanning of URLs for malware and threats, scanning for acceptable use, archiving, account discovery, policy management—basically all the things that turn a fun-for-the-kiddies toy into a corporate tool.
That's much needed. It's just nowhere near enough.
We've talked in the past about one of the remaining problems: the fact that Twitter isn't doing any of the hardening necessary to make itself corporate ready. In fairness, that's not Twitter's business—at the point when it starts pitching corporate services to Fortune 100 (or 500, or 10,000) companies, then we can expect hardening.
And, in fairness, Twitter has gotten better at providing something Twitter-using businesses really need: an account kill switch. That's how it's been possible to limit the damage from recent cases in which business Twitter accounts were hijacked. At this point, it's fairly easy to tell the difference between a major corporate Twitter user being hijacked and a marketing campaign designed to look like the tweets are coming from a hijacker: If it lasts more than an hour, it's definitely a hoax.
But that doesn't change the fact that the kind of security Hootsuite and Nexgate are providing is being bolted on. Somewhere down the line, it would be nice if Twitter would offer those kinds of services as an expensive option for big companies. Yes, Twitter, big retailers will pay—and they'll pay a lot—for the ability to completely lock down their Twitter feeds, not just use a kill switch in case of hijacking. (Media companies, banks and law firms would pay even more.)
Sadly, that's still only half the solution.Sadly, that's still only half the solution. And Twitter is a lot more likely to go corporate than the users inside corporations are to start playing by the corporate rules.
As useful as these Hootsuite tools should be, they'll still be hobbled by the fact that they're reactive. As usual, users will try things, they'll be stopped, and then they'll get creative. And it's going to be almost impossible to stop them with technology. The Hootsuite/Nexgate approach to tracking down unapproved accounts, for example, is what they're calling "automated account discovery." It uses search to identify accounts likely to be associated with a brand, even if the accounts aren't officially sanctioned by the company.
Sometimes those accounts will belong to outsiders—not much to be done about those, unless there's trademark infringement. But often enough they'll belong to insiders who just don't want to be bothered with all that tweet moderation and policy observation. (Besides, the SEC loves Twitter, right?) And because Twitter was never intended for what it's actually being used for, all that those users have to do, once they run up against the policy wall, is start a new Twitter account.
That makes Twitter management less an arms race than a game of hide-and-seek. It costs almost nothing for users to jump from one temporary Twitter account to another. It gets expensive for IT to keep chasing those hide-and-seekers, even with automated tools.
It's an IT truism that users can't be trusted to follow security rules. You have to secure things with technology. In this case, though, technology may not be enough. Twitter, like much of social media, is unmanageable by design. That means there's a limit at a technology level, and policy enforcers will have to draw some hard lines for store associates, headquarters employees and anyone else who can't stay within the lines of corporate policy when it comes to Twitter.
That has to start with training, but unfortunately it can't stop there. And it will require every manager to be on board, from stores on up.
Think that's impossible? Think about it this way: Technically, every associate in every store has to be PCI compliant—after all, they all have access to payment card information. Yet somehow, most of the time, most retailers manage not to leak payment card data like a sieve.
If you can somehow get associates, managers and executives to think in the same kind of terms about their chain-related tweets, you'll have another crucial layer of protection against Twitter's unavoidable risks.
It's no replacement for technology, but it'll certainly help.