- Evernote hacking debacle - here we go again!
- Don't believe assurances
- Your clients are going to ask you some difficult questions
Here’s the scenario. It is early last week and you are the CEO of Evernote and are talking to the head of cyber security and you ask these questions: "How secure is our data and our networks? Is there any possibility that someone could break in and see all our subscribers' details?" The head of cyber-security replies "No, that's completely impossible. It can't happen - I'd stake my job on it." And a week ago he probably believed it, although if you look through the back history of news articles on cyber-crime you will be skeptical that any cyber-security professional would have been that confident.
Software-as-a-Service (SaaS) is a growing area in the world of IT and has such it is of huge interest to the UK IT Association( UKITA). Providing companies and individuals access to services through the world wide web has become more practical with the uptake in cloud services, and many of the traditional software providers are now pricing their services to encourage business users to take out subscription services. The most notable examples are Microsoft, who are now only promoting Office for business users as a cloud-based subscription service.
In the UK, HMRC scrapped the SaaS portal that allowed tax credit recipients to update details of their claims online because they could not guarantee the security of the information held. The portal that allowed customers access presented a potential access route for hackers.
So the news that SaaS start-up Evernote have been hacked and have advised all their users (around 50 million) to reset their password should serve as a word of caution to SaaS companies regarding their security arrangements. If a huge governmental body with (for practical purposes) unlimited amounts of money couldn’t find a way to make the portal 100% secure then it is unlikely that other cloud-based products will be able to provide this guarantee.
The usual model for SaaS companies is to provide a cloud-based service which allows users to access their information from anywhere with internet connectivity by passing through a portal. These portals are usually secure to an individual, and you are able to see the information that other users post or access their accounts, but one problem with portals is that it is very difficult to prevent cracks appearing somewhere.
Evernote revealed that no private information was accessed during the hack, and that no information was viewed or amended, nor any payment details viewed. Information that was obtained included usernames, e-mail addresses and some encrypted passwords.
“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms they are hashed and salted),” said Dave Engberg, CTO of Evernote, in the blog post.
“While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords,” Engberg continued.
The problem for Evernote, and other SaaS providers, is that they are reliant on allowing remote access to end-users through the cloud. Evernote allow for remote storage of your notes and items so you don’t need to be carrying a planner with you. They cannot rely on closed systems to enhance their security.
For most SME’s using or providing cloud-based services anonymity will be a major part of the protection. Until your company registers on the national or international level it is unlikely to attract the attention of hackers. But it is vital you know what you will be saying to your customers. UKITA members IASME Consortium Ltd are experts in cyber security and provide advice and certification in recognition of good practice in IT security.
David Booth, Director of IASME and part of UKITA’s SME Cyber & Information Security Leadership Team, has this to say: “It’s becoming common for hackers to steal identities before stealing data. Passwords can be decrypted given time so it's'sensible to change them. We must all be cautious even when looking at emails from someone you know and don’t click through links but type them into your browser or copy and paste them into a text editor first. This will reduce the risk of visiting an infected site and getting a nasty virus.
SMEs should demonstrate best security practice when dealing with clients and carry insurance to compensate clients if the worst happens.”
SMEs, and it is maybe important for non-IT based companies than IT professionals, need to be ready for the awkward questions from their client base: “Where are you holding data about me? Is it on the cloud anywhere? What are you doing to protect me and how can you prove it? How much are you insured for if something goes wrong?”
At the moment, like Evernote, you are probably secure in the systems you have, but for your own benefit it is good to have answers to all of these questions.
If you are interested in keeping up to date with IT news, events and opportunities please follow UKITA.