Maybe it’s because I worked for a number of years getting devices like the iPhone certified to operate inside a military and commercial aviation company, but I’m not at all surprised to see celeb photo leaks occurring.
Consumer electronics of any kind live in a constant pendulum of accessibility vs security. The more secure something is, the less accessible it inherently becomes, and visa versa. Any company that’s building an internet connected device today is going to take a number of considerations in mind when thinking about the right level of security to place on a device, including cost, supportability, and even export control (you can’t leave the US with a device that exceeds a certain level of encryption for example, per federal regulations).
For corporations, there are tools called mobile device management platforms such as Good Technology (www.good.com/) and Airwatch (www.air-watch.com/) that are designed to “harden” a consumer device so they’re safe for corporate data. With the growth of Bring Your Own Device (BYOD), this has become a booming industry for companies that want to offer state of the art mobile technology but at the same time want to make sure it meets the same standards as the corporate laptops that have had years of security and encryption work done on them, from anti-virus to whole disk encryption.
With these tools though, the mobile devices become harder to use. Either because of the data being silo’ed on the device or having to use a very complex password every time you want to login.
The celebrities that had their private content leaked online had their phones hacked via an iCloud security breach – basically, the content was accessible via a consumer-grade cloud hosted solution designed for storage and sharing of content. There’s a good chance these celebrities didn’t realize that content was being “auto-saved” or even accessible via iCloud, but therein lies the problem. How much content do you share on your device, without realizing it? I can guarantee you that hackers are pretty aware of common vulnerabilities, and typically aren’t the types to openly share new ones (assuming they’re not the good kind of hacker, or “white hat”).
It is a horrible act when someone’s privacy is violated, and no doubt when it’s a celebrity the effect is 1000 times worse than an average person given how quickly it spreads. As long as people put sensitive content on devices meant to be sold to the broadest possible audience though, out of the box security will only go so far to solve these issues. This is especially true for company secrets, when text messages are just as sensitive sometimes as e-mails.
This doesn’t mean it’s time to go back to desk phones and typewriters though, because it’s a happy medium where convenience and being up to date meets up with adequate levels of protection. When I worked with corporate clients around mobile device security, I used this metaphor that’s useful when discussing how to manage your internal mobile security.
Think of a bank having three layers
Layer One – The Lobby, it’s open to the world for most of the day and is generally accessible. There’s a lock on the door, and a security guard, but people can get in and out pretty freely.
Layer Two – Behind the counter, people aren’t allowed back there but employees can get in and out fairly easily and have some layers of security between them and the average customer. Sensitive material is back there, along with certain amount of currency so security is in place but it’s also accessible to any employee.
Layer Three – The safe. This is the most expensive and secure piece of real estate in the bank, and is designed for security and not accessibility. The most sensitive material is kept here, as well as storing the majority of the money and very sensitive items. Few people get or need access, and no one from the public is allowed in.
If you are building a bank, the whole thing isn’t a safe – it would not only be super expensive, it’d be inaccessible to the general public which would defeat the purpose. At the same time, you need a safe because of the threat of theft, robbery, etc.
When you think about mobile security – what in your company belongs in the “safe”?. Consider if that content should ever even be on a mobile device. What belongs in the backroom? e-mails, corporate documents, attachments, etc. This is where Mobile device management comes into play, and where you should consider what falls in that employee only area. As for the lobby? Marketing content, sales material, website stuff, anything open to the public doesn’t need to be secure. This could be what lands on a consumer mobile app, mobile website, or general access content.
Things like these leaks will continue to happen, as more people put more of their personal lives on internet connected devices built around sharing and accessibility. Security will get better, but not so good that the devices become too difficult or cumbersome to use. Within that area, consider what should be on a mobile device (for sensitive photos, I recommend a device that’s not connected to a cloud hosted service), what should be secured on your device, and what is generally open to the world. These “three layers” will help you avoid any confusion or surprise when it comes to sharing content via a mobile device, and will help any unnecessary data leaks when it comes to your sensitive corporate documents.