Bank robbery and medical information theft have moved to the Internet, so it is disappointing but not surprising that criminal invasions of personal privacy have followed suit. British pop star Adele just fell victim to a targeted breach of her private pregnancy photos, echoing the theft of hundreds of sensitive celebrity photos in 2014, including nude photos of Jennifer Lawrence and photos of Harry Styles and Kendall Jenner vacationing in St. Barts.
In both cases, the perpetrators stole photos from online cloud services: first from iCloud accounts and now from a private email. Some will inevitably scold celebrities for storing private information in online applications, but the details behind these celebrity hacks actually closely resemble breaches of on-premises applications at companies with multi-million-dollar security budgets. Whether for a celebrity or a federal bank employee, cybersecurity needs to adapt to the way people use technology.
The methods are not necessarily technologically advanced, but just like celebrities, a majority of businesses have fallen victim to phishing and social engineering attacks. Celebrity data breaches illustrate first hand the human behaviors that hackers exploit, especially at scale in companies with thousands of employees, and those common behaviors are absent-mindedness, ignorance, and curiosity. Much of the advice directed to consumers on keeping data safe in the cloud applies to businesses as well: choose secure cloud services, turn on the appropriate security features in the service like multi-factor authentication, and actively manage who has access to data.
In a method called phishing, a hacker attempts to trick the victim into entering their login information on a fake form. This was how a hacker accessed celebrities’ iCloud accounts and, although details have not yet been released, is the most likely way an overzealous fan obtained photos from Adele’s partner’s email account.
Celebrities are not alone in struggling to avoid phishing attacks, as 84% of companies report that their organization has been the victim of a phishing attack, and this technique successfully factored into breaches at eBay (EBAY), Target (TGT), and TalkTalk, among others. Even security professionals struggle when put to the test: only 3% of a test group were able to correctly identify ten phishing emails, and 80% failed to identify a single one. The numbers point to the human factor as an effective target for hackers.
In a postmortem on this latest incident, there are bound to be voices who suggest Adele never should have sent private files via email. This approach ignores the reason people (and companies) create and collect data: to use it! One security executive at a financial services company compared keeping data safe to working as a secret service agent traveling with the president. It might be safer in theory to keep the president hidden in a bunker, but it isn’t possible. Similarly, it’s impractical and unrealistic to advise celebrities not to privately share personal information over email.
In the enterprise, we talk about user-centric security – designing security around human behavior because convenience will always trump security. I’ve witnessed the chief information security officer of a large bank taking notes with Evernote, a cloud service his own department banned. If a security executive doesn’t follow restrictive policies, why should we expect consumers to? Rather than give advice that cuts people off from the tools they need, we need to provide security of their data in the tools they use (within reason). Celebrity data breaches strike at the core of what cybersecurity needs to accomplish: account for human error and adapt to the way people use data.
After incidents involving cloud services (email is a cloud service) there is a tendency to hold everything cloud up as an enemy of keeping data safe. On the contrary, cloud services are uniquely positioned to provide secure, convenient solutions. Fear of cloud ignores the fact that in these data breaches, cloud providers’ systems are rarely compromised. Software-as-a-service providers stake their entire business models on the integrity of their applications, since a breach could pose an existential threat to the company. Experts acknowledge the progress; 64.9% of IT professionals now consider cloud services just as or more secure than traditional on-premises software.
Besides email consider another common type of cloud service, that for sharing files. Consumers have the choice of multiple file sharing services many with robust security features. There are, however, certain red flags to avoid. The terms and conditions can be full of dubious provisions: no retention of ownership, no ability to delete data, or no encryption, for example. Any of these provisions suggests the service is not the right choice for your most sensitive data.
Selecting a reputed service is only half the battle. Apple is considered a leader in security and privacy, but hackers can still log in to an account with a stolen password if the user has not taken the time to set up advanced security settings. Multi-factor authentication is a key feature that needs to be turned on. It likely would have prevented both the iCloud and email breaches because it requires additional identity confirmation at sign on, making it impossible for hackers to take control of an account with just a stolen password.
Adele’s leak stands out because her photos were not taken from her own email, but from her partner’s. This adds a very interesting wrinkle that has been observed in enterprise settings too, namely, the weakest link as target of attack. Hackers in the Target breach didn’t attack and compromise Target’s IT systems or applications. Instead, they targeted the IT systems of an HVAC partner who had access to Target’s IT systems. In Adele’s case, this thread can unravel many times over – it is possible Adele’s partner account was compromised because her partner received spurious email purportedly from a friend whose email account had been compromised.
Email is a much more egalitarian service compared to others where a user, typically the originator or creator has more control. For example, cloud file-sharing services enable a user to regulate who can view, edit, or download certain files. Enforcing permissions can provide an extra layer of control, allowing users to share with confidence. The last line of defense, and with the sophistication of security attacks, a critical line of defense is threat detection, which monitors for suspicious activity. For example, when you log in from a new computer or from a new location, many services like gmail who detect that as abnormal behavior require an additional factor of authentication helping to serve as a deterrent to hackers.
Celebrities, enterprise users, and consumers alike have to remember that they are responsible to use cloud services (and traditional software applications) in a secure, responsible way. To underscore that point, research firm Gartner declared that 95% of breaches will be the cloud customers’ faults.
As Adele sang, when you get a hello from the other side take extra care to make sure the hello is truly from that long-lost friend before you click on any link and find yourself the victim of a phishing attack.
Rajiv Gupta is CEO of Skyhigh Networks, a Campbell, CA-based cloud security and enablement company.