Why iCloud Hack Should Be Enterprise Wake-Up Call
Is an iPhone or iPad, when tied to the Apple iCloud, secure enough for business use?
That's one question now facing enterprise information security managers in the wake of the dumps of celebrities' nude photos, which first began appearing Aug. 26 on image boards, including 4Chan and its AnonIB sister site. Both Apple and the FBI have been investigating the apparent hack attacks against iCloud that may have resulted in the theft of at least some of the images.
Most businesses, of course, don't worry about attackers stealing employees' selfies. But the same techniques used by an obsessive group of celebrity stalkers could be employed by anyone who wants to steal corporate secrets, be that for espionage of the industrial or nation-state variety. "This incident should be a wake-up call to businesses as to what potential exposure their data could face when on personal devices," says Dublin-based information security consultant Brian Honan, who heads Ireland's computer security incident response team.
Here are seven steps businesses must take to secure any mobile device - BYOD or otherwise - that's used to access or store sensitive corporate information.
1. Issue Call to Action
"This has to be taken as an immediate call to action," especially for heavily regulated financial institutions, says Alan Brill, a senior managing director at corporate investigation firm Kroll. "At the very least, put out an urgent memo reminding people not to store sensitive bank/company information on private cloud services without permission from the local information security group. It's not too late to delete content that shouldn't be there, [and] any accounts on those services should be protected by opting in to multi-factor authentication - and this should be done now."
2. Don't Just Block iCloud
Security managers may see celebrity photo hacking as cause for blocking corporate-owned iOS devices from accessing iCloud or using mobile device management tools to similarly restrict employee-owned devices. Indeed, one knee-jerk reaction has been to ask why anyone would be backing up sensitive information to a consumer-grade service:
2013: "Oh my god you idiot, why didn't you turn on backing up your photos!" 2014: "Oh my god you idiot, why did you backup your photos?"
But blocking iCloud outright may not be the right move for many businesses. "It's an option, although one that may prove unpopular with users," says independent British security expert Graham Cluley. "And if you don't use iCloud to make it easier to share content with your other devices, what will you use instead? Dropbox? Google Drive? Who is to say that those services don't have their own security issues?" Indeed, according to software developer Nik Cubrilovic, celebrity photo stalkers appear able to breach not just iCloud, but also backups of Google and Windows Mobile devices.
Consider, too, that many employees are backing up their devices to iCloud, thus providing them with offsite disaster-recovery capabilities if their mobile device gets stolen, or if both their mobile device and the computer to which it syncs get lost, stolen or damaged. Unless businesses offer a substitute backup capability, then blocking iCloud would arguably be irresponsible.
3. Understand Employees' BYOD Use Cases
Before deciding how to manage mobile devices, security managers need to know how mobile devices - and connected services - are being used. "Businesses should look at what information is stored on mobile devices," Honan says, as well as all the way in which it might be copied or synchronized with other devices, be they cloud services or for backup purposes to the user's own PC. "Based on the sensitivity of that information, it should then either be removed from the device or properly protected," says Honan, by implementing controls that restrict any copying or synchronizing of that data to only authorized devices or services.