Twilio discloses a data breach. What could be done better to prevent it in the future?

The Twilio incident shows that even tech-savvy companies can fall victim to well-crafted social engineering. Here's what I think we need to focus on:

First, we have to tackle phishing beyond just email.

Look, most anti-phishing tools are great at catching sketchy emails, but SMS phishing? That's a whole different game. The attackers were smart - they sent texts pretending to be from IT saying "your password expired" or "your schedule changed." Classic urgency tactics.

What we need:

• Regular training that actually covers SMS and voice phishing scenarios. Not just the standard "don't click suspicious links" email training we've all sat through a million times


• Work with telecom providers to get some SMS filtering in place (yeah, it's harder than email filtering, but it's necessary)


• A simple rule: If someone texts you asking for credentials, pick up the phone and call IT directly. Old school verification still works

Second, we need to get serious about access management.

This is where Zero Trust and IGA come into play. Basically, stop trusting anyone by default - even your employees.

Here's what actually works:

• Lock down access based on context. If Bob from accounting suddenly logs in from Romania at 3 AM, maybe don't let him access the financial systems?


• Time-based access is huge. Why does anyone need 24/7 access to sensitive systems? Give people access during their work hours, from their usual devices


• Get rid of SMS-based MFA yesterday. Hardware keys aren't sexy, but they work. Twilio learned this the hard way


• Keep privileges tight. Does Sarah really need admin access to that system she uses once a quarter? Probably not. Give her temporary access when she needs it

The bottom line? Even if someone steals credentials through phishing, they shouldn't be able to waltz into your systems. Make them jump through hoops - legitimate users won't mind the extra security if you explain why it's there.

These aren't revolutionary ideas, but the Twilio breach shows we're still not doing the basics right. It's time to stop treating security as a checkbox exercise and actually implement these controls properly.

In case of sophisticated social engineering attack designed to steal employee credentials there is a need to pay attention regarding education of employee first and if not already in place apply Zero Trust approach by implementing OTP and using it as mandatory for all employees. Any technical solution is not good enough to avoid willing leak of employee credentials by themself.