Plugging the leaks – photos and data breaches
The recent unauthorized release of private celebrity photos should serve as a wake-up call to every executive. Not because attackers are likely to release personal photos, but because every individual and organisation has sensitive information that can cause harm if it is compromised. The information may include product designs, sales leads, financial results, credit card details or legally protected information.
A public disclosure of sensitive information is a humiliation, as celebrities may attest. However, the one positive of a data breach is that it highlights the existence of a security vulnerability that can be investigated and remediated. The most damaging breaches are those which remain undetected with sensitive information being lost over an extended period, potentially shared in private with those who have a keen interest in the data. In this case, the victim of the breach may not be aware that they are a victim until long after the breach has occurred and the damage has been done.
People have protested that the solution to prevent compromising photos being leaked on the Internet is to not take compromising photos. However, this opinion misses the point. We all have data that is confidential that needs to remain private. We should not stop creating confidential information; we must ensure that our confidential information remains secure.
Although we don’t know for certain how attackers gained access to these photos, it is an indication that patient and motivated attackers, given enough time, may be able to find security holes in a system and gain access. The question is invariably not, “are there security vulnerabilities in a system?”, but rather “can security staff identify and remediate vulnerabilities before attackers cause harm?”
For organisations seeking to maintain the confidentiality of their data it is not enough to issue an edict banning the use of consumer cloud back-up services. Protecting confidential information requires securing the data in transit, when at rest, and correctly managing access. Additionally, systems need to be maintained and monitored to ensure correct operation. When something goes awry, the cause needs to be identified, investigated, and remediated as soon as possible.
Securing confidential information and the systems in which it is stored and processed is not impossible, but it does take skill, planning, and a long term commitment. Not every organisation will have the necessary know-how, often the best course of action is to acquire human resources with specialist skills to ensure that the correct level of data security is being applied to data. The last thing any business wants is for the photo of their chief executive published alongside the story of the next big data breach.