Cybersecurity, Personal E-mail Accounts and Personal Devices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.corpcounsel.com/id=1202745528820/Cybersecurity-Personal-Emails-Accounts-and-Personal-Devices?slreturn=20151122155724


In October, we learned that a hacker claiming to be a teenager had accessed
the personal e-mail account of CIA Director John Brennan. WikiLeaks then
published at least some of the e-mails. According to WikiLeaks, the
published materials include a list of Brennan’s contacts and
recommendations on dealing with Iran for “[w]hoever takes up residence at
1600 Pennsylvania Avenue in January 2009.” The previous month Hillary
Clinton apologized for using her personal e-mail account while she was
secretary of state, and The New York Times reported that some of the
e-mails in question were classified as “Top Secret” by the CIA and National
Geospatial-Intelligence Agency. In April 2012, the South Carolina
government discovered that a Department of Health and Human Services
employee had downloaded personal information about more than 220,000
Medicaid beneficiaries into his personal e-mail account.

By now, we are used to the idea of hackers committing cyberattacks on
businesses and the government. We assume, and expect, that businesses and
government entities have in place reasonable cybersecurity measures to
protect data. The above incidents, however, all involve situations in which
an individual within an organization had either taken data from the secured
environment and placed it in a presumably less secure environment, or
initially created in an unsecured environment what might otherwise be
organization data.

The lesson that can be learned from these incidents is that hackers need
not commit cyberattacks by navigating around what should be complex
security measures within a business. They may simply target the personal
e-mail accounts of individuals within the organization. Another lesson is
that documents that would have been purged under the company’s document
retention policy, had they been stored on the company’s system, may still
exist on personal e-mail accounts. Consequently, they would be discoverable
and may be subject to subpoena in a litigation or government investigation.

If you have doubts about how old some retained e-mails may be, check your
own personal e-mail account to see how many order confirmations for
products purchased long ago remain in your folders. While we may be
surprised that the secretary of state or CIA director has used personal
e-mail for business purposes, there should be little surprise to hear that
an executive at a corporation had done the same. In a world in which
professionals are expected to stay plugged in 24 hours a day, the
opportunities for hacking are abundant.

In August 2014, hundreds of private photos of young celebrities—including
many nude poses--were leaked following hacks in a phenomenon dubbed
“Celebgate.” It was reported that 600 online storage accounts may have been
breached by a single individual. Nine years earlier, Paris Hilton’s cell
phone was hacked. The hackers obtained private photos, personal data and
contact information of her friends and acquaintances.

Eliminating the salacious aspects of these hacks, we are left with the fact
that attacks on online storage accounts and personal devices, including
smartphones, seem to require much less technological savvy than breaking
into a corporation’s cyber environment. Such hacks, however, may yield rich
harvests. Rather than intimate photos, hackers may easily obtain sensitive
documents that executives have downloaded to their personal devices for
reading at home (or on planes or trains). Similarly, some executives may
use their personal storage accounts to access work-related documents from
any location. Just as certain celebrities were targeted for hacking,
 individuals within a company who might have desired data may be targeted
as well. These individuals, however, need not be generally well-known. They
may be found by accessing a company directory. In fact, many companies
feature the names, photos and job descriptions of personnel on the company
websites.

There is more to be learned from the celebrity hacks. Some hackers
published material gathered from multiple hacks from different times. The
lesson here is that a hack may take place long before the data is used by
the hacker. Seemingly isolated and random incidents may be neither. And, in
at least some instances, there does not appear to have been any attempt to
profit financially from the celebrity hacks. Similarly, with the hack of a
business, financial gain is not always the motive. The desire to cause
embarrassment or simply self-gratification may be incentive enough to a
hacker.

The big question is: What can be done?

There are far too many measures that companies should be taking to fit into
this article. Here are just three simple suggestions to address the
specific problem of employees failing to follow company policies to
maintain cybersecurity.

1. Companies should train all employees in best practices for protecting
data. The access to sensitive data likely is not limited solely to top
executives. In fact, administrative and executive assistants as well as IT
personnel conducting run-of-the-mill help desk functions at various times
may have access to some of the most sensitive information at a company.
Just as the best safety features on an automobile cannot prevent an
accident if the driver falls asleep at the wheel or is texting while
driving, the best technical cybersecurity measures cannot prevent a breach
if an employee leaves behind his unlocked tablet at the airport, leaves her
laptop open at a coffee house while she goes to the restroom or loses a
thumb drive containing confidential information. The Los Angeles Times
reported that, in 2013 alone, 4.5 million smartphones were stolen or lost
in the United States. Thus, the importance of the company’s security
measures must be stressed to all employees, including those who may feel so
important that the general rules do not apply to them--and those who may
feel so insignificant that no one would target them.

2.  Companies should have periodic cyber check-ups. These should include
gathering information from employees about how and when they create, access
and store data. When they know the way the “on the ground” employees are
working, companies are able to conduct better, more relevant training and
decrease risks.

3.  Companies should have systems and processes in place that allow
employees to report suspected hacks. Companies must ensure that employees
report all suspicious occurrences regarding all company and personal e-mail
accounts, data storage accounts and devices on which company data is
created, accessed or stored.

In summary, strong technological safeguards are a must, but equally
important is each employee playing a part in maintaining cybersecurity.
Employees must appreciate and internalize their importance in this effort.
No employee should put the security of the company’s information at risk
just because it’s personally more convenient.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!