Although Apple contends that a flaw in its iCloud service was not at fault for the leaked cache of nude celebrity photos released to the Internet last weekend, the incident is bringing to light the potential vulnerability of cloud services and how companies talk about them.
In layman’s terms, the "cloud" is a virtual storage space for applications, documents, photos, and any other data. While it is a simple term for a complex platform, companies are explaining what exactly the cloud does – and more recently, its security features.
There are three types of cloud services: public, which is the most vulnerable; hybrid, which is a mix of public and private; and private, which is the most secure, but still not completely invincible, explains Kristen Sharkey, EVP and technology practice lead at Makovsky.
Roughly 80% of small businesses in the US intend to be fully adapted to cloud computing by 2020, more than doubling the current 37%, according to a report published by Emergent Research and Intuit last month.
Likewise, cloud-based platforms touch consumers each day in some way, from images on an iPhone to Yahoo Mail to banking and healthcare platforms, all of which leverage the technology. But regardless of whether a cloud service’s audience consists of consumers or business professionals, security-related messaging about a company’s cloud model should be as transparent, succinct, and simple as possible, notes Tim Donovan, MD of SparkPR’s enterprise practice group.
However, both Donovan and Sharkey note the differences in communicating to the two groups about security in the cloud. In the b-to-b space, messaging might be more technical, particularly when discussing vast amounts of financial or healthcare data and how that information is replicated or made available, explains Sharkey.
Webinars or actual one-on-one conversations with business customers and client contacts about vulnerabilities are essential comms strategies that business-facing companies should implement to keep clients informed, she adds.
"There will be questions that will inevitably come up, so having that two-way communication available is incredibly important at that level," adds Sharkey. "It also has to be a part of the sales cycle, so when a company is selling cloud-based technologies, it must be upfront and honest about what the vulnerabilities are so it doesn’t catch anybody out."
Egnyte, which provides enterprise file services for businesses supporting storage across a mix of local, private, and public cloud services, offers its clients security measures such as two-step verification. The company also has a customer success manager team on-hand to aid clients with any questions or concerns they might have.
But when a company is talking to a consumer about cloud security, the conversation is a bit simpler and more focused on whether their information is available on the cloud and what steps they should take to secure it.
Yet consumers are inherently more of a risk population than a business working with another business to keep its data secure, explains Donovan. Consumers must be repeatedly reminded of best practice tips, such as having different passwords for distinct services and remaining cognizant, whether using their personal technology or someone else’s, so no one else gains access to their confidential information.
"In plain English, consumers should be told [about risks and how to mitigate them] when they are backing up their iPhones, or storing info on the Internet," explains Sharkey. "This information should not just exist in fine print, it should be plainly available to the consumer."
Companies should also start an ongoing dialogue with consumers via Twitter, blogs, or quick tips passed out on a regular basis covering best practices, she recommends.
For instance, Yahoo’s security team has protections in place to prevent "brute force attacks," and the company offers two-factor authentication as a way for users to protect their accounts, a Yahoo spokesperson told PRWeek.
Microsoft, meanwhile, routinely provides guidance to its customers and has a full-time online safety officer dedicated to delivering information on a number of topics to customers, says Microsoft corporate VP of corporate communications Frank Shaw. It also has an online safety center that provides customers with resources about cloud security.
In addition, cloud platform Microsoft Azure consistently gives consumers the opportunity to ask the company questions about the cloud on social media.
Responding to a cloud breach
The leaked celebrity photos first appeared online on Sunday, spurring initial speculation from news outlets and social media that a security flaw in Apple's iCloud storage service was to blame.
However, Apple published a statement on its website on Tuesday about the theft. It explained that after a 40-hour investigation, the company found its services including iCloud and Find my iPhone had not been breached at all. Rather, it said the hacked celebrity accounts were the target of a "very targeted attack" on user names, passwords, and security questions.
The statement explained that Apple was "outraged" after learning about the hack and immediately mobilized its engineers to discover the source. The company continues to work with law enforcement to identify the perpetrators involved.
Apple also reminded users in its statement to use a strong password and enable two-step verification, security measures the company addresses on its website’s support page.
"Google, Microsoft, and most people’s banks use some form of additional verification of who you are to verify your account," says Michael Kaiser, executive director of the National Cyber Security Alliance. "It was critical for Apple to encourage people to use the security tools available to them and turn on two-step verification in their communications, and that is what they did."
He adds that speed of Apple’s response was an imperative step in its communications process.
"People start speculating when they don’t know what’s going on, which can confuse the average consumer about what they are supposed to do," he says.
Apple continued to push back against reports that a flaw in its service was to blame for the hacking. CEO Tim Cook did his first interview on the subject with The Wall Street Journal later in the week where he explained how Apple was building additional security measures into its platform and denied that lax security procedures on his company’s part were to blame. The company will begin alerting users via push notifications and email when there is an attempt to change an account password, he added.
In the event of a cloud breach, companies need to keep their customers front of mind, experts say. The first things customers want to know is if the leak has been stopped and what they should personally be doing to stop it from affecting them, says Howard Opinsky, head of Hill+Knowlton Strategies’ US crisis practice.
Secondly, customers want to understand what the recourse is for any damage the breach might have caused, be it reputational, financial, or otherwise, he adds. Therefore, an affected company must be clear about what it is doing to prevent this from happening again, whether through action by a corporation, involvement in industry coalitions, or working with legal or government authorities to protect security.
Be proactive, not reactive
In the wake of Apple’s crisis, companies such as Egnyte are keeping an eye on the issue.
"We are actively monitoring the situation just like any other security breaches that have happened throughout the year, such as Heartbleed," says Colin Jordan, Egnyte’s senior manager of corporate comms. "But we focus on trying to prevent these things from happening in the first place, rather than being reactive [to a crisis like Apple’s]."
Egnyte posted on its own Twitter page on Tuesday with a link to its website, promoting its business in light of the iCloud incident.
But Donovan says it is not a good idea for companies that offer cloud storage to capitalize on Apple’s "bad day" by promoting their own products and security features.
"The main question businesses should ask themselves is: Do we want to ride the wave of hysteria and will that provide us with any business value?" he explains. "It is a poor and risky business practice for a company to point its finger at Apple and call it ‘insecure.’ A few months down the line, your own system might get hacked."
Makovsky’s Sharkey adds that in response to Apple’s issue, consumer-facing companies that use cloud storage should take a look at their existing messaging in holding statements on their website or company blogs. If a company does not have this type of information available or has not made it available to customers in some way, it should make sure that is a priority.
Similarly, major cloud services that work with businesses should engage with current and potential customers to emphasize the security features they have available, she adds.