Elementary, My Dear Data Breach: Security Lessons from Sherlock Holmes

September 20, 2023

Fans of Sherlock Holmes know that many of his cases involve mysterious thefts, blackmail, and other crimes made possible by lax security practices. While set in Victorian England, the fictional mishaps and misadventures in Sir Arthur Conan Doyle’s stories offer timeless data security lessons still relevant today. This article explores insights modern security teams can glean from Holmes’ investigations.

The Dancing Men” – Encryption is Key

In “The Dancing Men”, Holmes breaks a simple substitution cipher used by a gang to send messages. While praised as a feat of cryptoanalysis, Holmes acknowledges the cipher’s weakness:

“Any telegram would have shown it up. On the other hand, the complication of the matter, and the introduction of a cipher, would tell me that the affair was of importance.”

The story demonstrates the risks of relying on obscure coding rather than strong encryption like AES-256 bit to protect critical data. Adversaries today have computational power to break basic ciphers and undisclosed vulnerabilities to exploit weaker algorithms. Proper use of modern cryptographic standards is essential.

A Scandal in Bohemia” – Insider Threats Loom Large

In “A Scandal in Bohemia”, Irene Adler outmaneuvers Holmes thanks to her insider knowledge and privileged access as trusted companion of the King of Bohemia. Holmes ruefully recounts:

“It was not merely that she had a head start, but that we erred in the method of our pursuit…The mistake I made was in thinking that she would not recognize my appearance or costume. It left me in the grip of the opposition.”

The story highlights the outsized risk posed by those with insider access to sensitive data. Vetted insiders often bypass security controls more easily than external attackers. Their knowledge of internal processes, technical safeguards and response procedures also makes detection and containment difficult.

The Naval Treaty” – Make Backups, Prevent Data Loss

In “The Naval Treaty”, Holmes struggles to recover a stolen classified treaty between Italy and Britain, lamenting:

“Had we been able to avail ourselves of the most elementary principles of cold reason, the diamond might have been ours without a shadow of risk or danger.”

With no copy, the loss poses an existential threat to relations between the nations. The case underscores the importance of data backups and anti-tamper controls to enable recovery from malicious deletion, corruption or theft. Extensive logging also aids investigation and attribution if original documents are unavailable.

“The Six Napoleons” – Practice Least Privilege Access

In the “Six Napoleons”, Inspector Lestrade fails to limit access to plaster busts smashed in a mysterious vandalism spree, allowing a police constable secretly behind the crime to participate in examinations. Holmes admonishes:

“It’s bad enough having bogus bas-reliefs without having bogus policemen too…We will keep our eyes very wide open if you like, Mr. Lestrade, but stretching our elbows and putting our hands in our pockets there is nothing illegal.”

The episode serves as a cautionary tale in limiting data access through least privilege permissions and separation of duties. Broad unauthorized access enables insider abuse. Strictly enforcing access needs and monitoring activities identifies issues before major damage occurs.

“The Beryl Coronet” – Vet Third Parties Carefully

In “The Beryl Coronet”, a banker lends a client a valuable coronet, which is damaged under dubious circumstances. Holmes determines an employee pawned stolen gems, noting:

“I think that you have been making a very serious mistake in not making your own business one of personal supervision. Had you observed them narrowly you might have foreseen this catastrophe.”

The story demonstrates the extensive risks third-party vendors and partners can introduce if not thoroughly vetted. Legally binding contracts, limited data access, privileges monitoring, audits and oversight controls are required to manage third party risk.

“The Red-Headed League” – Beware Social Engineering

In “The Red-Headed League”, Holmes exposes a group that places a fake help wanted ad for red-haired men. Applicants provide personal details and complete bizarre tasks while criminals tunnel into a bank next door. Holmes observes:

“As a rule, when one is seeking for something, one tends to look in the most unlikely places. It strikes me that it might be a good idea to begin your proceedings by roaring out, ‘Hi! here we are!’ That was the idea which occurred to me.”

The clever social engineering scam shows how legitimate-looking offers blind targets to ulterior motives. Employees must be wary of unusual requests, verify policies before sharing data, and report suspicious behaviors. Security fundamentals matter more than checking boxes.

“The Copper Beeches” – Trust Your Instincts

In “The Copper Beeches”, a governess senses something awry when offered a lucrative position requiring peculiar requirements. Holmes affirms her unease, saying to Watson:

“It is not for me, my dear Watson, to stand in judgment on you. I leave it to your own conscience…”

The story reminds us to rely on common sense as the first line of defense. If an opportunity seems too good to be true, access seems unnecessary, or requests appear odd, speak up. Empowering people to voice concerns prevents overlooking obvious warning signs.

Final Reflections

While fictional, the data incidents and intrigue from Sherlock Holmes offer relevant lessons for modern cybersecurity. Encryption, insider risk, Backups, access controls, third party oversight, social engineering awareness, and user vigilance are as imperative today as in Victorian England. By learning from – and preventing – criminal plots and cunning deceptions in Doyle’s stories, real organizations can improve their data protection and avoid becoming victims themselves. While threats evolve, Holmes’ deductive approach shows fundamentals are timeless.

Referenced Work

Doyle, A. C. (1892). The Adventures of Sherlock Holmes. George Newnes Ltd.

Doyle, A. C. (1894). The Memoirs of Sherlock Holmes. George Newnes Ltd.

Doyle, A. C. (1903). The Return of Sherlock Holmes. McClure, Phillips & Co.

Murphy, C. (2022, March 24). Social Engineering Attack Techniques to Watch Out For. Digital Guardian. https://digitalguardian.com/blog/social-engineering-attack-techniques-to-watch-out

National Institute of Standards and Technology. (2001). Announcing the Advanced Encryption Standard (AES). https://www.nist.gov/publications/announcing-advanced-encryption-standard-aes

Verizon. (2022). 2022 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/