It's not often that the worlds of celebrity gossip and enterprise data security collide, but this weekend's celebrity iCloud hack is just such a case. BYOD organizations should pay especially close attention.
Over this past Labor Day weekend, selfies of an intimate nature were stolen from a large number of celebrities and leaked online. Among the victims are Hunger Games star Jennifer Lawrence and Sports Illustrated swimsuit model Kate Upton. As one might expect, the news and links spread like wildfire.
Reports of how the breach occurred vary, but many suspected that it involved an exploit of a vulnerability in Apple's iCloud cloud backup service that enabled hackers to continue guessing user passwords until they found the right one. The Next Web offers further detail about the bug, which, if combined with some savvy social engineering, could have led to the celebrity iCloud account breaches. Business Insider, on the other hand, took a more circumspect position, pointing out that multiple other services could be implicated in the leaks as well, including Dropbox, Google Drive, and Snapchat.
While the exact mechanism of the leaks have yet to be conclusively determined, its lesson to the enterprise is already clear. Data privacy has become increasingly critical in recent years, thanks to stricter compliance requirements and a string of high-profile breaches. And public cloud services can place sensitive data at risk, endangering enterprise data privacy just as much as they do end users' personal privacy.
So how can organizations protect their regulated or proprietary data assets and avoid becoming the enterprise equivalent of an Academy Award winner with a nude photo leak?
Public cloud security demands control of shadow IT
Despite the steps many organizations have taken to clamp down on unauthorized cloud use, the statistics show that enterprises are nowhere close to being safe, according to analyst numbers collected by endpoint data security and governance solutions vendor Druva. Among those statistics are ESG's finding that 77 percent of companies prohibit online file sharing services for work purposes, but that, according to Workshare, 72 percent of employees do it anyway. Shadow IT is alive, well, and continuing to endanger enterprise data security.
To protect sensitive or regulated information, organizations must find ways to bring shadow IT under control. Consumer-facing cloud services are handy but may not be up to scratch for the enterprise, especially when adopted without IT's approval or cooperation.
As a first step, organizations must use the network monitoring and user activity tools at their disposal to identify shadow IT. Then comes the hard part. It can be all too tempting to shut all public cloud use down and consider the case closed. But this doesn't solve the underlying issue that led to the adoption of shadow IT in the first place (and that will continue to breed more shadow IT problems in the future).
At its heart, shadow IT is a cry for help. End users circumvent IT when the solutions IT offers are less workable than the services that consumer-facing cloud services offer. For example, perhaps employees have few options for file storage, backup, and sharing besides shared drives that require a connection to either the physical corporate network or to the corporate VPN, reducing availability and accessibility.
To take control of shadow IT and prevent it from turning into a major data security risk, IT must be open to the complaints and concerns of the users who have been adopting shadow IT. What needs does shadow IT address that IT-approved solutions don't? In many cases, it is possible—and much more advisable—to find an enterprise-grade cloud solution that offers equivalent functionality with more rigorous security. In other cases, a cloud encryption gateway may prove more useful. In any case, the more that IT can offer solutions to enable end user productivity and satisfaction, the less shadow IT will be an issue.
End user education can be helpful as well. Many employees simply don't know that the cloud services they've adopted put corporate data at risk. Clear policy and a training session or two can go a long way towards dissuading workers from dangerous behaviors.
Public cloud security concerns for BYOD organizations
When it comes to cloud data breaches like the celebrity iCloud hack(s), BYOD organizations are especially at risk thanks to the way BYOD employees work. Corporate-issued smartphone and laptops are usually more or less meticulously secured, with app download and installation limitations in place to help protect the devices and data. Not so with end users' own devices. At the consumer level, services like iCloud and Dropbox and their associated mobile and desktop clients are often either free or cheap, making them easy choices for backup and file sharing. The BYOD employee who's less than careful about comingling personal and corporate documents may overlook the data security concerns unless properly educated in the risks.
It's for that reason that end user education is particularly important in BYOD organizations. But BYOD makes adoption of cloud services for work purposes extremely tempting, even with formal training and policy in place. BYOD companies therefore need to take an more proactive approach to protecting corporate data in the cloud. Data Loss Prevention (DLP) solutions that can identify sensitive data and stop it from being copied, pasted, or inappropriately shared or uploaded are a must. Also important are Mobile Device Management (MDM) solutions with secure, segregated corporate productivity apps to keep work use separate from personal use on employee devices.
The final word
The celebrity victims' response to this past weekend's data breach has been varied, with some contacting authorities—the FBI is now said to be investigating—others expressing their anger, and yet others denying the veracity of the images. But in all cases, these photo leaks are violations of privacy that could prove personally devastating to the victims. The enterprise equivalent—the theft and exposure of sensitive corporate data—could be just as devastating to any business that suffers such a breach.
Businesses: Know what data your employees are putting in the public cloud and find ways to limit and control public cloud use, or run the risk of unwanted exposure.
Editor's Note: Apple has released an advisory claiming that the breaches were the result of "a very targeted attack on user names, passwords and security questions" rather than any exploit of iCloud or Find My iPhone.
Photo courtesy of Shutterstock.