Apple Pulls End-to-End Encryption in iCloud: What Does It Mean for CISOs?

Kate O’Flaherty investigates the implications of Apple removing its iCloud Advanced Data Protection feature in the UK

At the end of February, UK Apple users lost a key security feature, Advanced Data Protection (ADP), after the iPhone maker reportedly refused to bow to government pressure to build a backdoor into its products. The loss of ADP means that most data stored in iCloud – including backups, photos and notes – will not be protected by the gold standard of encryption, end-to-end encryption (E2EE).

The UK government says it needs to access this data to catch criminals who hide behind E2EE. But the security industry argues that, by forcing Apple’s hand, it has effectively left everyone less secure, while setting a worrying precedent for the future. The move has some “pretty serious implications” for CISOs and cybersecurity professionals, CyberSmart CEO, Jamie Akhtar, tells Assured Intelligence.

“Essentially, it means UK users’ iCloud data is no longer protected by E2EE, making it accessible to Apple – and potentially law enforcement agencies,” he warns.

A dangerous precedent

Apple’s move represents “a significant moment in the ongoing battle between privacy and government surveillance”, Huntress senior manager of security operations, Dray Agha, tells Assured Intelligence.

By removing E2EE from some of its products, Apple has set a precedent that could result in other countries demanding similar access to data. This could be “an absolute boon” for cybercriminals, says CyberSmart’s Akhtar.

While the removal of ADP puts UK users at risk of “overzealous policing and state-backed snooping”, it also opens them up to attack from “common or garden cybercriminals”, he continues.

“The move could put extra regulatory and compliance pressure on CISOs.”

“Without strong encryption, it’s that much easier for cybercriminals to steal and exploit sensitive data through attacks such as ransomware,” Akhtar argues.

Any deliberate weakening of encryption creates risk, agrees Huntress’ Agha.

“If governments can access data, so can adversaries,” he argues. “This includes cybercriminals, hostile nation states and malicious insiders. History shows that once a vulnerability is introduced, it’s only a matter of time before attackers exploit it.”

Regulatory pressure builds

The move could also put regulatory and compliance pressure on CISOs. If the UK’s demand emboldens other governments to request similar access to data, it will increase the burden on security leaders to navigate conflicting compliance requirements, Jordan Schroeder, managing CISO at Barrier Networks tells Assured Intelligence.

The lack of strong encryption could create business risks, particularly for organisations handling sensitive data. This is because the potential for government access might conflict with data protection laws, such as the General Data Protection Regulation (GDPR), Schroeder warns.

“Following Apple’s move, enabling multifactor authentication (MFA) is more important than ever.”

CISOs now face a challenging landscape where “regulatory pressure may erode fundamental security principles”, adds Huntress’ Agha.

“Governments may compel tech companies to weaken encryption or other security controls,” he says. “Organisations relying on Apple’s ADP to secure sensitive corporate data will need to reassess their risk posture. The absence of strong encryption in iCloud increases the risk of insider threats, unauthorised government access and potential data breaches.”

Mitigate the risks

It’s not a great outlook. However, there are some steps that CISOs and cybersecurity professionals can take to mitigate the risks. For organisations using Apple products – or those with employees who store corporate data on their device – there’s an urgent need to reassess data protection strategy. As part of this, CISOs should consider alternatives to iCloud for sensitive business information says Barrier Networks’ Schroeder.

He also advises “engaging in policy discussions to advocate for strong encryption standards”. And at the same time, ensuring clear internal policies on cloud service risks, so executives understand the implications of weaker security frameworks.

Huntress’ Agha advises UK CISOs to reassess their cloud security strategy following Apple’s move. As part of this, if sensitive corporate data is stored in iCloud, they should review whether alternative cloud storage solutions with “stronger, enterprise-controlled encryption” are necessary, he suggests.

“You need to be transparent with customers about changes that affect user data protection.”Jamie Akhtar

If changes must be made, CISO should be transparent with everyone in the business, says CyberSmart’s Akhtar.

“Communicate clearly and early with stakeholders about the implications of Apple’s decision and the risks involved,” he advises. “The same applies to your security practices – you need to be transparent with customers and other stakeholders about changes that affect user data protection.”

Education and training are key, especially since staff members might not know about the new Apple policy on ADP.

“Employees might assume their Apple devices remain just as secure, so CISOs need to dispel that myth and offer guidance on best practices,” says Huntress’ Agha. “Develop internal awareness campaigns to reinforce secure data storage and encryption strategies.” 

Start with basic controls

It’s also a good idea for CISOs to strengthen their basic security controls. Following Apple’s move, enabling multifactor authentication (MFA) is more important than ever, as it adds “a critical layer of protection against unauthorised access to iCloud accounts”, Matt Aldridge, senior principal solutions consultant at OpenText Cybersecurity, tells Assured Intelligence.

It’s important to note that Apple hasn’t taken away all E2EE from iPhone, iPad and Mac users. Apple services including iMessage, Facetime, health data and iCloud keychain remain secure and protected. However, users should review what they store in iCloud, with backups no longer being encrypted, Aldridge says. This means sensitive files and data may need to be stored securely elsewhere, such as on external encrypted drives or alternative cloud services that still offer E2EE.

“History warns of the dangers of surveillance overreach”Jordan Schroeder

Organisations must also prepare for compliance and legal challenges, Huntress’ Agha warns. If operating in the UK, legal and GRC teams should assess the regulatory implications of storing data on platforms that could be accessed under the Investigatory Powers Act, he says.

“Stay ahead of potential data sovereignty shifts as more governments move towards greater surveillance,” Agha adds.Apple’s decision to remove ADP is a major concern, as governments across the world strive to gain easier access to data. While no one is condoning the criminals who hide via E2EE, experts agree that removing it makes everyone less secure. It also gives governments more power.

In the end, a broader question remains, says Schroeder: “Should privacy from governments be absolute, even at the cost of law enforcement capabilities? History warns of the dangers of surveillance overreach. The decisions made today will shape the future of the privacy landscape.”