The Power of the Cloud

As you are probably aware by now, somewhere upwards of 100 celebrities have had private pictures of themselves posted on 4Chan and many other sites yesterday.  Earlier today Reddit was going crazy with comments and pictures.  Some of the celebrities who have confirmed that the posted pictures are of them include Jennifer Lawrence, Kate Upton and Mary Elizabeth Winstead.

Needless to say, these stars are not happy about things, but how how does this affect you?

Time Magazine reported that one theory of what happened is that a hacker exploited a vulnerability in Apple’s Find My iPhone Service that was patched today (coincidentally?) that allowed for a brute force attack against your account.  Some tech observers discount this explanation saying there is evidence that some photos came from Android phones that don’t backup to Apple services.

Whatever the answer is, it is a reminder that nothing is perfect.  There are however a number of things that you can do.

First is to do a risk assessment.  If you are a celebrity and you have taken nude pictures of yourself and your partner engaging in “adult activities”, perhaps the risk of storing those in the cloud exceeds the rewards of doing that.  Of course the problem may be that you may not clearly understand what is being copied from your phone or pad to the cloud and what is not.  That is part of a risk assessment.

If you are a business person, the same is true.  If you have trade secrets, forward looking financial information, business partners confidential information, etc., then a risk assessment will help you determine whether a public cloud is a good place to store this information.

Training your employees of good computer hygiene is important, but people tend to zone out on that stuff.  Convenience usually wins out over security.

If you are a business, understand where your employees are storing your information.  A few years ago a friend was doing an assessment for a client and he asked the client how many Sharepoint sites they had.  The CIO thought it was around 50.  After an audit, it turned out to be around 1,300.  Slight difference.  If you don’t know where your data is, you cannot protect it.

Encryption.  Whenever and wherever possible, encrypt stuff.  It doesn’t mean that the bad guys can’t steal it, but you definitely make it harder.  And, make sure that the encryption is not easily compromised.

Review your third party service providers and partners that have access to your information.  This may include performing a security audit on some or all of these providers.  Financial institutions have been doing this with their third party service providers for years.  It is a cost that you bear and it should not be a “one size fits all” process.  An external risk mitigation expert can help you analyze the risk and come up with a plan.  If one of your providers balk at participating in an assessment OR they balk at fixing the issues that the assessor found, then you have a decision to make.  NOTE:  This is NOT the same thing as a PCI audit because it covers information that is not related to customer credit card or other NPI data.

You can follow all of the recommendations above, but the list is not complete and, for many companies, the expertise and bandwidth to do this internally is not there.  I recommend that you get a risk mitigation assessment performed by a competent, external, security expert at least once a year.  You can and often should conduct internal assessments first, but the external assessor doesn’t have an axe to grind.   If you pick a vendor to do this who just happens to sell the PERFECT product to fix the issues he or she found, be suspicious of the vendor’s motives.  It could be a coincidence, but also, it might not be.

Once you have the assessment document, you and your Chief Risk Officer need to review the recommendations and make a business decision regarding which identified risks you are willing to accept and which ones you are going to address.  There may be a number of ways to address a given risk with different costs and impacts.  The security assessor can assist you with this analysis by providing an objective framework and process, but ultimately the executive team and likely the Board will need to make some business decisions.

As more information is stored digitally and the business consequences (legal, reputation and financial) increase, a cyber risk mitigation assessment should be an annual event.

Mitch Tanenbaum