Blog

Organizations aren’t ready for the truth about cloud vulnerabilities

Organizations aren't ready for the truth about cloud vulnerabilities

Thursday 1st February 2018
Trevor Graham, CEO

Watching the news over the last few days, I keep thinking of Colonel Nathan R. Jessup, Jack Nicholson's character in the movie A Few Good Men. You know the one I mean: "You want the truth? You can't handle the truth!"

What, I wonder, would Colonel Jessup have made of the news that soldiers have regularly been wearing fitness trackers when they were on patrol? This came to light last week, when fitness-tracking app Strava published heat maps showing the routes its users took on their walks, jogs, bike rides and other perambulations.

In the case of US soldiers, this meant the classified patrol routes around the perimeters of US military bases: all there, online, easy for anyone — foreign intelligence services, for instance — to view and download. I imagine being the officer or enlisted man tasked with breaking this news to the real-life equivalent of Colonel Jessup. It isn't a pleasant thought.

But I don't send my employees on patrol

At first glance, it may seem that the rest of us have little to learn from this incident. Unless you work at Aldershot Garrison or GCHQ, it's unlikely that foreign intelligence services will be interested in the route you take on your lunchtime strolls.

But this misses the point. The risk posed to military security by fitness trackers is obvious to anyone who thinks about it, even in passing. And the men and women who run US army bases are not stupid. But like the rest of us, they have their blind spots. It just never occurred to anyone to ban Fitbits on duty.

Almost every organisation has similar blind spots. Maybe you don't closely monitor which online storage services employees use. After all, they're just moving Word documents between home and work. But what's in those Word documents? Where on the cloud are they being stored? How secure is it and is that storage GDPR compliant?

And what about documents uploaded to online translation services or run through an online PDF converter? All the information in those documents is valuable. Could someone sitting behind those apparently innocuous cloud services — or someone who has compromised their security — be using the information your employees freely upload to unvetted sites, often in return for a relatively trivial service, to piece together a picture of the contracts you're bidding on?

It's by no means impossible. And none of us wants to be the person who has to give that news to the boss. He or she may not be as fearsome as Colonel Jessup. But it's still not going to be a conversation that ends well.