In October, we learned that a hacker claiming to be a teenager had accessed the personal email account of CIA Director John Brennan. WikiLeaks then published at least some of the emails. According to WikiLeaks, the published materials include a list of Brennan’s contacts and recommendations on dealing with Iran for “[w]hoever takes up residence at 1600 Pennsylvania Avenue in January 2009.” The previous month Hillary Clinton apologized for using her personal email account while she was secretary of state, and the New York Times reported that some of the emails in question were classified as “Top Secret” by the CIA and National Geospatial-Intelligence Agency. In April 2012, the South Carolina government discovered that a Department of Health and Human Services employee had downloaded personal information about more than 220,000 Medicaid beneficiaries into his personal email account.
By now, we are used to the idea of hackers committing cyberattacks on businesses and the government. We assume, and expect, that businesses and government entities have in place reasonable cybersecurity measures to protect data. The above incidents, however, all involve situations in which an individual within an organization had either taken data from the secured environment and placed it in a presumably less secure environment, or initially created in an unsecured environment what might otherwise be organization data.
The lesson that can be learned from these incidents is that hackers need not commit cyberattacks by navigating around what should be complex security measures within a business. They may simply target the personal email accounts of individuals within the organization. Another lesson is that documents that would have been purged under the company’s document retention policy, had they been stored on the company’s system, may still exist on personal email accounts. Consequently, they would be discoverable and may be subject to subpoena in a litigation or government investigation.
If you have doubts about how old some retained emails may be, check your own personal email account to see how many order confirmations for products purchased long ago remain in your folders. While we may be surprised that the secretary of state or CIA director has used personal email for business purposes, there should be little surprise to hear that an executive at a corporation had done the same. In a world in which professionals are expected to stay plugged in 24 hours a day, the opportunities for hacking are abundant.
In August 2014, hundreds of private photos of young celebrities—including many nude poses–were leaked following hacks in a phenomenon dubbed “Celebgate.” It was reported that 600 online storage accounts may have been breached by a single individual. Nine years earlier, Paris Hilton’s cellphone was hacked. The hackers obtained private photos, personal data and contact information of her friends and acquaintances.
Eliminating the salacious aspects of these hacks, we are left with the fact that attacks on online storage accounts and personal devices, including smartphones, seem to require much less technological savvy than breaking into a corporation’s cyber environment. Such hacks, however, may yield rich harvests. Rather than intimate photos, hackers may easily obtain sensitive documents that executives have downloaded to their personal devices for reading at home (or on planes or trains). Similarly, some executives may use their personal storage accounts to access work-related documents from any location. Just as certain celebrities were targeted for hacking, individuals within a company who might have desired data may be targeted as well. These individuals, however, need not be generally well-known. They may be found by accessing a company directory. In fact, many companies feature the names, photos and job descriptions of personnel on the company websites.
There is more to be learned from the celebrity hacks. Some hackers published material gathered from multiple hacks from different times. The lesson here is that a hack may take place long before the data is used by the hacker. Seemingly isolated and random incidents may be neither. And, in at least some instances, there does not appear to have been any attempt to profit financially from the celebrity hacks. Similarly, with the hack of a business, financial gain is not always the motive. The desire to cause embarrassment or simply self-gratification may be incentive enough to a hacker.
The big question is: What can be done?
There are far too many measures that companies should be taking to fit into this article. Here are just three simple suggestions to address the specific problem of employees failing to follow company policies to maintain cybersecurity.
1. Companies should train all employees in best practices for protecting data. The access to sensitive data likely is not limited solely to top executives. In fact, administrative and executive assistants as well as IT personnel conducting run-of-the-mill help desk functions at various times may have access to some of the most sensitive information at a company. Just as the best safety features on an automobile cannot prevent an accident if the driver falls asleep at the wheel or is texting while driving, the best technical cybersecurity measures cannot prevent a breach if an employee leaves behind his unlocked tablet at the airport, leaves her laptop open at a coffee house while she goes to the restroom or loses a thumb drive containing confidential information. The Los Angeles Times reported that, in 2013 alone, 4.5 million smartphones were stolen or lost in the United States. Thus, the importance of the company’s security measures must be stressed to all employees, including those who may feel so important that the general rules do not apply to them–and those who may feel so insignificant that no one would target them.
2. Companies should have periodic cybercheckups. These should include gathering information from employees about how and when they create, access and store data. When they know the way the “on the ground” employees are working, companies are able to conduct better, more relevant training and decrease risks.
3. Companies should have systems and processes in place that allow employees to report suspected hacks. Companies must ensure that employees report all suspicious occurrences regarding all company and personal email accounts, data storage accounts and devices on which company data is created, accessed or stored.
In summary, strong technological safeguards are a must, but equally important is each employee playing a part in maintaining cybersecurity. Employees must appreciate and internalize their importance in this effort. No employee should put the security of the company’s information at risk just because it’s personally more convenient.