Hello My Data, Are You Out There?
Zao provoked infosec dystopian fury with concerns about intrusive privacy policies, but Zao was just the tip of the iceberg.
The Zao app: It was the best of times, it was the worst of times. While the launch of the trending deep fake app began with friends happily using the app to share amusing videos, it concluded in predictable infosec dystopian fashion with concerns regarding overly intrusive privacy policies, unease that data was being hoarded by app developers, and even questions over whether the whole app was one big misinformation conspiracy. While a healthy skepticism over the apps we use and data we share should be encouraged, the furore over Zao’s data storage is indicative of broader trends related to data exposure and the importance of managing digital risk.
By focusing on just one app, organizations and individuals risk missing the wider issues at play. Crucially, there is not much new about Zoa, with the app’s privacy policies and data usage typical of many apps. A familiar conspiracy recently surrounded FaceApp. Those shocked by the practices of Zoa or FaceApp might benefit from some weekend digging on how other popular apps work. The old adage that nothing is ever free would also appear to apply to the phone in your pocket. As a general rule, if you aren’t paying for something, then you (and your data) is most likely the product. For many, the concerns over these apps are almost certainly due to them being based in China and Russia, yet apps based in other regions will still obtain and use a range of potentially sensitive data points.
These app controversies touch on increasingly prevalent concerns related to data exposure via third parties. This doesn’t just include apps but also the use of cloud storage, social media, and hosting platforms. As individuals and organizations are increasingly harnessing the benefits and opportunities of these technologies, they are simultaneously increasing their risk and exposure. Not all of these new risks even arise out of malicious or bad intent. For every state-based super villain threat actor or malign Cambridge Analytica style app out to hoover up your data, there is Alice, an employee that wrote sensitive corporate documents to a public, rather than private, Github repository; Bob, one of your organization’s managed service providers that is yet to patch a vulnerability leaving your data exposed; and Charles, who in his delight at starting an internship at your firm, has shared a photo of his ID badge and ID number. In this context, apps like Zoa and FaceApp are one of the many ways in which sensitive individual and corporate data become more porous. While these different issues may all require different solutions, the core underlying point is that an increasing amount of individual and organization data now sits outside of the direct control.
The problem is that many of today's security strategies are focused too narrowly on protecting the internal network - an increasingly outdated and limited outlook. Protecting employees' personally identifiable information with encryption, security monitoring, and tight access controls can be quickly undermined when that same data is voluntarily relinquished via the next app of the week. Organizations therefore need to protect both their end points and address the risks that exist beyond their network perimeter. While this might seem obvious at a time when chief technology officers are raring to roll out flashy digital transformation plans, the bar for managing these external risks remains far too low.
With data breaches being reported on an almost daily basis, today’s security strategies needs to bake in new assumptions. This comes down to being pragmatic and accepting the reality of the current situation. With data exposure now prevalent, organizations need to be careful in assuming certain information remains private and can therefore be used to verify users (pro-tip: you have a problem if your authentication process relies on social security numbers). With cyber criminals readily advertising login credentials for sale, CISOs need to build in contingency plans if it is their credentials that are the next to hit the market (implementing robust two-factor authentication can go a long way to wiping out stolen credentials for example).
It is also vital for organizations to take a proactive stance. Data exposure risk might not be as exciting as some new APT28 malware, but it is arguably far more important. It is all too easy to adopt a defeatist mentality around data exposure. Yet, just because an organization’s data might sit outside of their direct control , they should still feel empowered to manage this situation. Accepting that there is always a possibility that employees will inadvertently download apps thirsty for sensitive information, online criminal marketplaces can be monitored to check how any data tied to a specific organization is mentioned. Likewise, measures should be put in place to detect when sensitive data is inadvertently shared. Crucially, by accepting the new risks of data exposure (whether via apps, clouds or social media), organizations can monitor how their organization and data appears online and start to build a playbook for managing these accompanying risks.