The days of sitting in your office and working on a desktop computer are long gone. The laptop has become the computing tool of choice for most people, but now smartphones and tablets are augmenting or replacing it as business is done from anywhere, at anytime.
Mobile devices and cloud computing are fueling our ability to get work done wherever we are. There is freedom in sharing documents across your many devices by tapping into cloud services, like Dropbox, Google Docs, SkyDrive, iCloud and Box. It makes it simple to collaborate with colleagues and business partners no matter where they are, what time they want to work or what device they use. But there is also risk as more information floats freely around the Internet and on mobile devices.
Two recent incidents illustrate this well.
- The Oregon Health & Science University Hospital (OHSU) in Portland had a USB thumb drive stolen with confidential information from 14,000 patients and 200 OHSU employees. The thumb drive was stolen from an employee’s home during a burglary. The employee unintentionally took the USB drive home and the thieves took it while ransacking the place.
- On August 3, 2012, Wired’s Mat Honan had numerous cloud services hacked through some social engineering and poor password recovery policies and spent the weekend trying to get his digital life back in order. Hackers convinced Apple tech support that they were Mat and were issued a temporary password to access his iCloud account. Since Mat stores a lot of information in there, the hackers got access to his Gmail and Twitter accounts as well as issuing a remote wipe command to Mat’s iPhone and MacBook.
When things like this happen, some people want to condemn the technology and say they are not safe. Don’t use the cloud! Stop using USB drives! Let’s all go back to pencils and paper!
It’s a bit of a knee jerk reaction, but understandable when faith in trusted technology fails us. In both cases, there were policy and process flaws to blame in addition to problems with the technology.
In the OHSU case, there was a process breakdown because the employee was allowed to take the USB drive out of the building. If OSHU had encrypted the information on the portable device, it would have nullified the first problem.
In the case of Mat Honan, he admits that he was a bit lazy about security and that he had all his accounts tied together. He used Gmail as his password recovery account for numerous cloud services and they were compromised when his iCloud account was hacked. Access to one of his accounts gave hackers the keys to the kingdom. This doesn’t excuse the lax approach Apple had to giving an impostor a temporary password, but shows again that process and technology both failed.
Since businesses will continue to use mobile devices and cloud services, make sure you follow a few simple rules to safeguard important information.
- Use strong passwords for cloud services; if possible use 2-factor authentication, like Google provides
- Don’t use the same password for all cloud services and change them regularly
- Encrypt any sensitive documents you put into the cloud
- Encrypt sensitive documents on all portable devices
- In fact, you should encrypt sensitive documents no matter where you store them
Using portable devices and cloud services makes everyone’s life easier. It allows us the flexibility of doing business anywhere. Data breaches and hacked accounts shake our faith a bit and hopefully make us think more about persistent information security. We hate thinking about all of this and just wish it would take care of itself. Until everything magically encrypts itself and limits our access, we need to lock a few of the doors to prevent the bad guys from getting in.
Photo credit bengals85n9