A photographer’s skills lie in capturing great moments which last forever – rather than data security. However, it’s still important that they think about securing their devices, and looking at the security of their cloud provider or data sovereignty.
Many paparazzi and cyber extortionists would love to steal unreleased photos. While the rich and famous often have great physical security and make sure they’re secured in the digital world, their supply chain represents a great opportunity for people looking to get hold of these photos.
In June 2019 it was revealed that the official royal Sussex couple’s wedding photographer was hacked, and their private photos were released on Instagram. It is unlikely the cause of the breach will be published, but as often the case, it was probably not difficult – going after the email account or cloud provider and then doing some password phishing or guessing are tricks that have been used before.
Being a photographer to the rich, famous and powerful means your name will be known and will be listed in the press before and after the event. All a crimster (personal “copyrighted” word) has to do is social engineer (strike up a relationship with) the firm by phoning or emailing them. Contacts details will be online, and the end target will be helpful since they’re looking for extra business.
Supply-chain audits are usually carried out by FTSE 100 firms or the public sector, not by private households. Supplier assurance usually stops at asking the supplier high level “paper-based” questions, such as whether they did security awareness training, have an asset and risk register, and whether they have a PCI-DSS or ISO 27001 certification. It should go deeper than this but rarely does.
High-end photographers can clearly afford a technical cybersecurity audit and deeper security controls since they charge thousands of pounds per shoot and need to protect their global reputation.
What technical security controls would you expect from a one-man band or small videographer or photographer? The below list includes some examples:
1. Disc encryption
Laptops or Apple Macs must have the hard drive fully encrypted and protected by more than transparent boot (TPM).
2. USB security
Fully encrypt not “encrypt as you fill out” USB sticks or buy FIPS 140-2 hardware-encrypted USB sticks with a physical PIN pad.
3. Beyond antivirus
Bog-standard antivirus programmes don’t cut it anymore, especially freebie antivirus software. Use something with more than just signature detection.
4. Email security
Don’t use a freebie account as you get what you pay for. By paying you get to know where your emails are stored, enhanced antivirus/antispam and 2FA.
5. Cloud security
The same as above, and do not signup/login with your publicly known email address. Pick a provider with zero-knowledge, which stores the data in a country with better privacy laws. 2FA as well.
6. Secure sharing
Some photographers store their photos on their website, and this is a big leaking source. Burn them to (encrypted) DVDs and use a trusted courier or create a private shared folder on your zero-knowledge cloud.
7. Data disposal
Post engagement, quickly copy photos to encrypted storage and store the SD card in a safe. A format of the memory card will not completely delete the photos, so either physically shred the memory card or overwrite it.
If you're interested in cybersecurity, have a look at QA's cyber security courses, labs and webinars.