The Latest WikiLeaks Data Dump: What Can the Enterprise Learn?

The WikiLeaks saga rumbles on, bringing with it a raft of new but unsurprising classified material from the CIA. This time there are many facets to the released information, but I'd like to hone in on what lessons enterprises can take from this release.

First, the good news from an organizational security perspective: Encryption works.

It would seem that security services have been unable to create ways to read encrypted content from such services as WhatsApp and Signal. With the considerable resources the CIA has at hand, we must take this as a very positive sign on that front. In fact, the FBI court case on accessing records from an iPhone[1] along with stories of arrests being made explicitly while devices were unlocked and in use[2] (in order to access information on them without requiring the user's identity) are now mainstream, owing to the challenge encryption provides. The bonus here is that this type of access is expensive and therefore can only be used where there is a suspected case of serious wrongdoing.

In order to access information from these services by less obvious means, it is necessary to physically compromise the device itself; and the CIA appears to have gone to great lengths to develop tools and mechanisms that access operating systems and devices.

Which brings us to the bad news…

Running through the list of Operating Systems, devices and targets for the CIA it becomes very clear that we, as a society, are producing huge amounts of information and sending data around the world through a growing number of increasingly diverse sources. The sources of content sharing now range from phones, tablets, PCs, CDs/DVDs and USBs, through Smart TVs, cars and IOT devices. Interestingly even software intended to ensure our security, such as anti-virus tools, can apparently be shut down remotely or used against us.[3]

For the extended enterprise (e.g., business conducted across geographic boundaries), this can mean keeping track of an increasing number of devices, as users change their habits and work in more disparate fashions. And let us not forget that the single biggest source of data loss is still users losing stuff - not through any subversion! Aside from simply losing devices and media, the latest Verizon Data Breach Report shows that 63% of confirmed data breaches involved weak, default or stolen passwords. With users routinely reusing and recycling passwords to overcome the increasing complexity and frequency of change, security risks associated with password loss are more likely to increase.

Our 20 years of experience protecting and enabling content in motion for extended enterprises have given us a unique view on what information security in a mobile-first, cloud-first world requires. A driving force behind the Synchronoss acquisition of Intralinks was to refine our insight into the direction of what enterprise customers will continue to require. Our vision of the future is enabling workflows from 'glass to glass' - from enterprise-bound workstations to the handheld devices of mobile employees, customers and partners. What the WikiLeaks story helps to highlight is that the enterprise needs an information-security strategy that provides protection across the board.

When looking to ensure the privacy and security of your organizational content, seek out tools that provide end-to-end encryption - or, more adroitly, that adopt security reliant only on itself and not the characteristics of multiple vendors and technologies. For example, we provide every piece of content uploaded to our service with its own unique 256-bit encryption key. And to ensure mobile security, our technology creates a secure container on users' devices that is independent of and much stronger than native OS security. Using this example, having a user's mobile device compromised would not result in corporate data being lost from within the container.

Further, it's not your users' fault, and they don't do it on purpose, but assume that users want to share their data far and wide. They simply want to get work done and use familiar tools to achieve this. Email is by far the worst culprit! By providing users with tools that are easy to use and hard for them to lose, such as cloud services, you can ensure adoption and security.

Finally, if the security services are looking to gain access to devices, you can be assured that the criminal fraternity wants this as well. By providing mechanisms that secure users' entry to these systems, such as using multi-factor authentication and identity proofing, you can be confident that whatever happens to devices - whether lost, stolen or seized - identity remains secure. Also, by ensuring that the content on the device is protected by technologies such as IRM, access to that content by that identity can be removed, thus ensuring all avenues are covered.

[1] https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone

[2] http://www.bbc.co.uk/news/uk-38183819

[3] https://www.theregister.co.uk/2017/03/08/cia_exploit_list_in_full/?page=2