The headline story this week about celebrities’ iCloud accounts being hacked and private photos being posted on the Internet is terribly sad, both for the individuals involved and for what it says about the state of cloud security. Certainly technical issues (like the problem that the Find My iPhone app did not have controls in place to stop brute-force password attacks –now reportedly fixed) are important, but there’s far more to this story than just some racy photos being compromised.
Study after study finds that employees are regularly using services like iCloud, Microsoft OneDrive (formerly SkyDrive), Google Cloud, Dropbox and many other similar offerings to store corporate data in the cloud. Often, they do this not to steal the data, but to make it convenient to work on from home or on the road, where they may feel that regular company systems don’t give them the ease of access they need.
It seems to our cyber-investigations team that this is something that should be looked at now, while there is so much media coverage of the iCloud hack and you can get people’s attention.
Company IT security specialists and compliance may be able to seize this as an immediate opportunity to both remind employees of the rules about sensitive information, and to provide advice about securing their accounts.
If your company policy permits (or lack of policy doesn’t prohibit or limit) storage of corporate data on personal cloud services, consider that a trigger to conduct a more comprehensive assessment of how sensitive data is being protected. This is an incident we expect will bring questions from senior executives or board members. You need to have answers which could include both your immediate actions and that you’re arranging for an independent review of how data is being protected as mobile, BYOD and cloud services have exploded in popularity, availability and use.
It’s strongly advised that employees do the following as soon as possible.
- For all of their accounts with iCloud, Microsoft OneDrive (formerly SkyDrive), Google Drive, DropBox or any other cloud storage services, opt-in for multi-factor authentication. This is probably the most important immediate action. Urge them to have family members do the same.
- Look through their accounts and see if there are documents, photos or anything else that they would not like to have compromised and delete them.
- Look at what is automatically synchronizing is there any content that you don’t want automatically copied to the cloud?
Until we understand exactly how the attack was carried out, and the breadth of the attack (did it just target celebrities, or was it larger in scope) it’s also a great idea, once you’ve turned on multi-factor authentication, to change your password to a strong one. Choose something not in the dictionary – perhaps the first letters of a favorite song lyric – and change some letters to numbers (like “I” to “1” or “O” and “Q” to “0” or “A” to “@”). Make it long with lyrics you know, it’s easy to get to 10 or 12 characters. It’s not a guarantee, but the combination of multi-factor and a long, non-dictionary, alphanumeric password certainly strengthens your security position.
While monitoring of wireless network traffic to identify cases in which portable devices are using your WiFi network to synchronize data with cloud providers is certainly possible, it’s not going to provide complete transparency into all cloud activity. This incident may be a wake-up call to consider an assessment of Internet-based storage by your company, employees, and those in your supply chain with whom you exchange sensitive data.