Use Apple iCloud hack to sell employees on security culture

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchcio.techtarget.com/news/2240228283/Use-the-Apple-iCloud-hack-to-sell-employees-on-security-culture

We've all heard about the hundreds of nude photos and videos of
high-profile celebrities leaked en masse last weekend. The news has led
many security experts and Hollywood elite alike to pontificate on Apple
iCloud's culpability in this leak.

Apple has denied that the leak was a result of a breach in its iCloud
storage service, saying that it was instead a "phishing" hack of individual
accounts. But that hasn't stopped the spate of headlines painting Apple
iCloud with the same broad brush applied to the hacker who invaded the
privacy of these celebrities. And those sensational headlines have a point.

Apple's efforts to ensure the privacy of its users haven't exactly been
Herculean. While the company has offered two-factor authentication in most
of its cloud services, its Find My iPhone application wasn't enabled with
that extra safeguard -- a vulnerability Apple has known about for months.

Finger-pointing aside, there is a message for CIOs and their IT staffs in
this privacy breach, and it isn't about who's to blame, said Kevin Paul
Scott, co-founder of brand and experience consultancy ADDO Worldwide, and
author of Eight Essential Exchanges. The cloud culture needs to change for
all parties concerned. Big enterprise companies need to "hold the big
vendors' feet to the fire" on protecting data -- and boycott vendors who
don't, according to Scott.

"It will take companies, especially the bigger ones that have large
purchasing power, to say, 'If you don't get this fixed, we will not use
your products and services,'" Scott said.

The iCloud hack should also prod IT organizations and all the powers that
be in the company (including the board of directors) to be more cognizant
of what data, both personal and corporate, their employees are uploading to
iCloud and other services. But even more important, this high-profile
violation of privacy should also drive home to employees that privacy is a
privilege that no one who uses mobile and cloud technology can take for
granted. Users have been "lulled into a false sense of security and have
become really lax" with information they upload to the cloud and put on
their mobile devices, Scott said.

IT managers should strike while the outrage is hot and use the celebrity
nude photos as a means to communicate to employees the importance of
information security in the digital age. It won't be easy, because the
measures to safeguard privacy are viewed by users as a hindrance, not an
asset, and therefore ignored. "As [IT creates] more complicated passwords,
[employees] are becoming more lax in how they safeguard their personal
information," Scott said.

So how should IT go about selling good security hygiene habits to users --
other than clucking over the exposure of celebrities' private selfies?
Scott's advice is to communicate like a salesperson. "People in technology
a lot of times don't communicate the same way that a sales team would,"
Scott explained. "When you're casting vision internally, you have to
connect the things that you're asking employees to do with something
bigger." Essentially, IT should take a page from internal sales and
"inspire" employees and illuminate the reasoning, not just the
prescription, behind security initiatives.

"In this day and age, internal corporate communications is going to be as
vital to IT departments as the greater technology strategy as a whole," he
said. "It's not enough to have the smartest guys or the best strategy if
they can't communicate it internally."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!