Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Oleg Pliss' hack makes for a perfect teachable IT moment

Ryan Faas | May 29, 2014
Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.

In many cases, this can make work-related tasks easier, help employees be more efficient and productive, and boost collaboration between coworkers and with contacts outside of an organization. It also opens the doors to all manner of data security and privacy concerns, with potentially disastrous consequences - things that most workers don't think about or consider to be their responsibility.

This incident should prompt IT teams to explain the very real risks employees, managers and executives take when they use iCloud, Dropbox, Google Drive, and other cloud services or when they store sensitive data on a personal and unsecured mobile device. You can say the same thing about other data breaches that have occurred in recent months, but this one is ideally suited to being a teachable moment, largely because it was an attack that non-tech folks can relate to their everyday experience. This isn't some abstract hacker threat; it's an iPhone or iPad that suddenly won't work, with a ransom note attached for good measure.

Important points to make

Here are the important points IT departments can, and should, include in a security conversation with users.

  • Users with the most basic mobile security — a device with a passcode — while not immune to the issue weren't significantly affected. That demonstrates the power a simple four-digit PIN can offer and why, despite the slight inconvenience, IT requires officially-sanctioned devices to use one. It also opens the door to discussing the personal as well as professional data that can be exposed and exploited when a device is lost or stolen. Focusing on the potential consequences of someone having complete access to all the data on one the most personal devices people own is likely to drive the point home.
  • The potential for damage is greater people that choose to use the same credentials across a range of sites and services. This underscores why IT requires regular password changes and often prevents them from being re-used.
  • Apple's own iCloud security systems were not at fault. This attack succeeded because users ignored common security lessons. Apple isn't responsible for it and isn't seen as a scapegoat. A similar incident affecting corporate resources could be blamed on the employee(s) in question rather than on the IT department, particularly if IT can prove it had no knowledge of where the data or credentials were stored by users.
  • This could have been much worse for the affected users if the perpetrator had used iCloud credentials to access data and documents synced or backed up to iCloud or stored there by a range of iOS and Mac apps. That lesson extends to every cloud service, email system, social network, and online account that a person has, both personal and professional. If any of those accounts had sensitive corporate data or data subject to government regulation under privacy laws (such as those related healthcare or finance), it could have done a great deal of damage to a company and resulted in termination for any employee that allowed data to be exposed.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.