The Dangers of Accidental Data Synchronisation

In my view accidental synchronisation of highly confidential information between internet-enabled devices is one of the biggest security loopholes of the decade. The fact that manufacturers can do this, seemingly without consent, is immensely worrying and something that as a business owner you need to take VERY seriously. You might be careful with your passwords and devices, but are your staff?

What’s the problem?

Any modern business is going to have a range of devices where you access data from. Your desktop PC, a tablet, your mobile phone, a laptop… it’s part of the many joys of cloud computing and can lead to a highly agile working environment. BUT this flexibility comes at a huge cost to security.

For example, I don’t normally use Microsoft Edge but I do occasionally use it just to check the functionality of my web sites between various browsers. I’ve never run Edge on this particular laptop before, loaded it up, dismissed all the Microsoft nonsense trying to make it my default browser, and then noticed my usual favourites bar full of my usual shortcuts! It just appeared as if by magic at the top of the screen. Strange… I know this happens for Chrome but I don’t remember ever setting this up for Edge. Where did it get this information from?

I tend to use my Edge browser for more confidential stuff since I know Chrome synchronises everything everywhere. This is fine, I’m aware of what Chrome does and I safeguard my data accordingly. For example, call me paranoid but I don’t do online banking via Chrome. I tend to that via a different browser just to keep things separate. I don’t want to give potential hackers a head start by telling them who I bank with.

Not that I used Edge for this, but I had NO IDEA that my confidential shortcuts in Edge were being syncronised off my PC, on to the ‘Microsoft Cloud’ and back down to my laptop. And when I drilled in to the options it was a lot more than just my shortcuts that were being synchronised. Not only were browser settings, such as internet favourites, being sync’d but so were potentially confidential machine settings, my full browsing history. Note the ‘Passwords’ box below – on by default. I didn’t switch that on. I didn’t even know it was on:

Synchronisation on by default
Synchronisation on by default

 

Now, across the range of devices I use for business, some are in physically secure locations and some are not. My laptop is not. So naturally I avoid keeping highly confidential stuff, such as customer & key business information, on the laptop. That doesn’t mean I never use my laptop for confidential stuff – it just means I avoid STORING confidential stuff on my laptop. If it gets lost or stolen it’s not something I want to have to worry about, beyond the insurance claim. That’s why it’s REALLY, REALLY, REALLY bad that Microsoft have taken it upon themselves to put confidential stuff on my laptop without my knowledge.

Needless to say I immediately switched all ‘Sync settings’ to ‘off’ and if it means re-creating a few shortcuts so be it. But even with these set to ‘off’ are they still stored in the Microsoft cloud somewhere? Obviously I never click the ‘remember password?’ box for anything important, but I bet plenty people do. Microsoft Edge uses a single e-mail account for synchronisation – probably what you entered when you first bought the laptop. If that e-mail account becomes compromised then a potential hacker would have full access to whatever has been unknowingly copied over to the Microsoft cloud. Not only would they have all your shortcuts to ‘stuff you use’ but they potentially have your passwords too! Literally all they need to do is log on to a new device with your e-mail address and BAM.

The even more disturbing thing is that I’m SURE I switched this off?! I remember a while back I change the desktop wallpaper on my PC and it magically changed the wallpaper on my laptop too. This worried me so I did a quick bit of digging and switched synchronisation off. And now it’s back on and I’m sure I didn’t do that. And it’s syncing all sorts of things I didn’t know it was syncing!

As a business owner, multiply this by the number of staff you have and the number of devices you use. All it takes is one account that’s clicked the ‘save password’ box for your confidential intranet. OK, they might have done that on a desktop PC securely stored in your office… but now they use the same account to log on to their personal laptop, which is left logged on all the time and now they’ve left it on the bus. Or, worse still, because they their password is ‘password’ or their date of birth, which they’ve left ‘open’ on their Facebook profile, their Microsoft account is easily hacked and now Lord only knows who has access to your intranet.

A common sense approach

I’m not scare-mongering or saying “don’t synchronise anything”. I’m just saying, use a common sense approach for your business:

  • Only synchronise what absolutely needs to be synchronised
  • Never synchronise passwords unless you’re 100% certain this won’t impact overall business security
  • Make sure your ‘master account’ has a highly secure password
  • Be aware of what is being synchronised
  • Be aware of where data is being synchronsied to
  • Does synchronisation breach any of your customer agreements? For example your privacy policy?
  • Always ‘log out’ when you’re done on a web site
  • Periodically clear down your cookies so that cached logon details to web sites are removed from your computer – generally good practice so you don’t get used to not entering a password
  • Consider paying for a 3rd party security audit

Steps you can take now

Firstly, unless you have a good reason to be using your ‘Microsoft account’ (the cloud one) to access devices, just use local accounts instead. It will mean you’ll have more passwords to remember but at least if someone compromises one machine it doesn’t mean they can now compromise ALL your machines AND your cloud-based data:

Use a local account
Use a local account

 

Remember though, if you switch to a local account your Microsoft account profile will probably still be on your computer, so clear that down first. If you don’t the confidential stuff is still there, you’re just not using it. Make sure nothing confidential is left on your Microsoft account.

Consider setting up an entirely separate e-mail address for your Microsoft account. Keep this separate from your ‘main’ e-mail account – different password etc. For example, microsoft@yourbusiness.com or msoft.johnsmith@yourbusiness.com. At least then you haven’t given hackers a head start with your primary e-mail account.

I would also strongly advise your DON’T use Microsoft OneDrive for things like “Set up protection of important folders”. This essentially means “indiscriminately send everything to Microsoft” and will almost certainly breach your Privacy Policy since the chances of customer data being sent to 3rd party systems are very high. If you do want to do this, do so with EXTREME CAUTION. If it’s managed properly it can actually work quite well… but you probably won’t manage it properly. You’ll just switch it on and forget about it… and that’s bad. Apart from anything else you’ll need to start paying for it after 5GB.

Don’t panic – use common sense!

If you take a common sense approach to security in your business you’ll be doing more than 99% of other businesses. Use secure passwords, THINK about the data you’re handling and don’t synchronise stuff that doesn’t need to be synchronised. Check your devices – do it now. In Window 10 Home edition go to Settings -> Sync your settings and see what’s switched on by default. If in doubt just switch it all off until you’ve had a chance to properly look in to the implications of leaving these settings switched on.

What do you think? Have you had a security issue or problem caused by indiscriminate synchronisation? Chat about it more over on Twitter @smallbusinesstb

Photo credit: rawpixel

Andy Mac