Protecting Data in the Cloud? Don't Forget About Basic Instinct

Personal data: the Holy Grail of modern business? Facebook’s revenue streams are built on it, mobile apps rely on it, and businesses must learn to understand it in order to become closer to their customers. Personal data has become equated to currency.

Vast volumes of personal data is now stored in the Cloud. Rare is the occasion when we get to fill out our names and addresses on a physical form, before it gets shoved into a filing cabinet to gather dust.

I’ve read a couple of stories recently that talk about the vulnerabilities surrounding personal data in the Cloud, since anything stored online has at least some risk of being hacked.

One such example is in this ZDNet article where the author Eileen Yu talks about a friend of hers who uses an app for their local café. The app allows you to create a profile of your own personalised drink, so if you have specific requests you don’t have to spend time repeating them. You just show the barista the app and they know exactly what you want.

The app also offers contactless payment as you can just show them a QR code and the amount is automatically deducted from your credit card.

The issue here, according to Yu, is that customers will have to load their credit card details into the app in order to keep it topped up – “Great, another database filled with customer financial data that hackers can target,” was her first thought.

For businesses, I agree that the high availability (geddit) of Cloud services does introduce a new set of challenges, especially when it comes to personal data and making sure it’s as secure as it possibly can be.

Without the proper restrictions in place, any employee could theoretically set up a Cloud based account such as Dropbox or Twitter, pop all sorts of data (financial or otherwise) in there, and have instant access to it. Thereby circumventing the normal processes you would have in setting something new up within the business – a practice that’s become known as ‘Shadow IT’.

However, I think it’s important not to overlook the basics when it comes to IT Security, and in that case Cloud is no different to On Premise.

It’s easy to get sidetracked or sucked into one fancy technical solution that claims to do it all. In fact it’s better to take a holistic view of your approach to security – including your people, your policies and which technology is right for your business.  The technology is of course crucial – but it’s about getting the balance right.

Data stored on premise is never 100% secure, even with the most powerful anti-malware solution. In fact nothing is. All it takes is for one person to forget to lock the server room one night and it’s like leaving your SAT NAV on display in your car.

Speaking of cars, keyless ignition systems have been in the news this week after there has been a reported spike in thieves hacking them.

Ironically, these types of systems were a reaction to the massive levels of car theft in the 1980s and 1990s, when cars were quite easy to break into (though I’d like to emphasise I didn’t find this out from first-hand experience).

Security and protection became a big priority, and this led to the evolution of keyless ignitions and computer systems within your car.

Now however, some criminals have figured out a way to use these systems against people by reprogramming blank fobs (using tools widely available on the internet), allowing them to gain vehicle entry. According to the Metropolitan Police, keyless entry hacking accounts for half of all car theft in the London area.

Now the advice is to go back to basics whilst alternative methods of protection are established to stay ahead of the hackers: Don’t leave any valuables in sight, and add deterrents such as steering and gear locks.

It reminds of when I worked at the Ford Motor Company in the late 90s. The new Sierra Cosworth model came out which had all sorts of fancy computerised anti theft devices. So confident were they in its impenetrability that they made a bold offer: anyone who could break into the car within 15 minutes could drive it away and keep it.

Of course, that happened. Someone plugged a laptop in under the bonnet, broke through the security measures, and drove off into the sunset.

For me, the basics of security should always go hand in hand with evolving technologies. Lock the server room, have policies for what you do with the tapes at the end of every night, and make sure they’re being followed thoroughly.

For anything online, protect your networks: don’t leave WiFi passwords on display and dispose of sensitive documents properly. Make sure passwords are long and complicated enough, and consider two factor authentication. Here’s a great, straightforward video from our security partners Sophos on how to pick a proper password:

For more information on the massive role people and polices have to play in IT Security, have a read of my ‘Week in the Life of a Hacker’ series I wrote earlier this year for Microsoft. Using various scenarios, disguises, and skulduggery, my point was to demonstrate the way a hacker’s mind works – in essence exposing a lack of processes, or the vulnerabilities (sometimes both) in an organisation, that can lead to serious breaches of IT Security.

Day 1: Tape Gate
Day 2: The Case of Mistaken Identity
Day 3: I’m here to water the plants, honest…
Day 4: Social Engineering