Brace yourselves for more debate about the security of hosted services following last week’s leak of confidential recruitment documents and other material belonging to Twitter, the social media company.

The drama kicked off on Tuesday when Tech Crunch, one of Silicon Valley’s best known blogs, revealed it had been given documents hacked from Twitter’s internal systems. The information ranged from sensitive material about the names of people who had been interviewed for senior jobs at Twitter (which Tech Crunch nobly said it wouldn’t publish) to financial projections and product plans (which it planned to). In short, it was the kind of security breach that keeps HR and finance managers awake at night.

The announcement provoked a barrage of comments on the Tech Crunch site, most of them apparently arguing that it shouldn’t publish anything – a surprisingly ethical stance for the people of Silicon Valley, but one that probably reflects a certain sense of “there but for the grace of God”. But Twitter head honcho Michael Arrington pushed ahead, m’learned friends got involved, some stuff got published – and the net result is that we’re all a little bit wiser about Twitter’s financial forecasts and internal strategy.

Leaving aside the ethical debate, the incident raised a number of concerns about the security of hosted services. Along with a growing number of organisations, Twitter uses the Google Apps hosted service as an internal collaborative tool to share documents, spreadsheets, ideas and the like. According to Twitter’s blog, the information got out because an employee’s personal email account was broken into, giving the hacker information that allowed them to then access that employee's Google Apps account.

As I’ve pointed out before, there are potentially huge benefits for organisations in using internet-based services that store data “in the cloud” rather than on your own system, whether it’s in the form of Google Apps or an entire HR management system. High among them is the ease of sharing information, the ability to access documents from anywhere else, the zero IT-maintenance overhead and the fact that some are cheap or even free to use. But you also need to be aware of the risks. The Twitter breach isn’t anything as spectacular as someone hacking into a data centre – it’s the much more mundane problem of poor user passwords. As Twitter itself pointed out, “this attack had nothing to do with any vulnerability in Google Apps, which we continue to use. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines, such as choosing strong passwords.”

The reality is that you’re as secure as you choose to be when you use either hosted services or conventional on-premise systems. All your employees need to understand what makes a strong password and why you shouldn’t use the same password for everything from Facebook to online banking (let me pause for a moment while I update my own…). And you need to opt in to better security. Google points out, for example, that since 2006 it’s supported “two-factor authentication”, which allows organisations to add an extra layer of security to passwords by using smartcards, devices that generate one-time passwords or even biometrics.

It’s a bit like securing your office. You can give all your employees a front door key, you can invest in a sophisticated electronic access and monitoring system, or you can do something in between. The bottom line is that you choose, consciously or unconsciously, the level of risk you want to take – and you, not the door, are to blame if something goes wrong.