Information To Protect What You Grow

3 Lessons For Businesses From The Apple iPhone Hack

Written by Jeffrey Forbes | Jun 1, 2016 11:04:22 PM

 

Cybersecurity issues continue to make the news, making it harder and harder for companies to ignore their own cybersecurity concerns.  Most recently, Apple and the Federal Bureau of Investigations engaged in a significant courtroom fight over hacking into an iPhone.  FBI had brought Apple into court demanding the company hack into one of their own phones in order to gain key evidence and the California company had resisted strongly.

What Happened?         

The problem started when the FBI recovered an iPhone 5c used by one of the San Bernardino shooters.  The Bureau wanted to gain access to the phone’s information in case it led to additional evidence on who may helped the shooters carry out their act of terrorism.  Unfortunately, in trying to gain access to the data, the FBI accidentally bricked the phone, preventing themselves from being able to gain the information and raising the possibility that all the data on the phone could be erased.  So the FBI sought a court order forcing Apple to break into the phone for them since they could not do it themselves.

Apple Fights To Keep Their Edge In The Marketplace With Security Features

For Apple, maintaining the security of their hardware and software is a paramount interest.  Police departments around the company have often asked for, or demanded, help hacking into iPhones caught in criminal stings and the company has generally resisted.  It fears not just the time consumption required to respond to these requests; it fears that creating well-known or established mechanisms for breaking the security of their data will lead to increased vulnerabilities for all their customers and leave them more open to attack from competitors.

The FBI Wins And Gains Access Without Assistance From Apple

The Court originally sided with the FBI, a decision that Apple immediately appealed.  However, before the appeal could really get underway, hackers informed the FBI of a way to get the data they needed, exploiting a previously unknown security vulnerability in the iPhone 5c.  The FBI claims that the technique only works on the iPhone 5c, but given that the FBI also has a mandate to fight the type of cybersecurity breaches that would be caused by this information becoming public, it’s hard to know how much to trust them.  To date, the FBI has not been willing to share the exact nature of the hack with Apple.  That of course means Apple cannot fix the vulnerability. 

White Hats And Black Hats

What may be more interesting is the possibility that the FBI actually paid hackers who may have engaged in illegal activity in order to gain access to this information.  The hacking world is normally divided in white hat hackers and black hat hackers, with the white hats begin employed by companies to try and find vulnerabilities in their systems so that they can be fixed, and the black hats trying to find those vulnerabilities to break into systems and commit criminal acts.  The hackers communicating with the FBI in this case appear to be “grey hat” hackers, those who hack systems without permission and then attempt to sell the information regarding the vulnerability back to the company who has been hacked, a practice of dubious ethics since it can feel close to extortion to the company confronted with the information.  READ NOW: Is a Bring Your Own Device Policy Right For Your Company?

What Actions You Need To Take For Your Business

Ultimately, this case has several lessons for companies trying to manage their cybersecurity liability. 

  • First, since most companies won’t have the resources of the FBI, backup your data so that it does not wind up locked in a device that you have lost access to. 
  • Second, know who owns and controls your data if it’s not you and make contingency plans for being able to access it if things go wrong. 
  • Third, talk to a broker today about cybersecurity insurance policies to protect your company from financial loss caused by information technology failures.