In the wake of CISA, many cybersecurity experts have been touting the fatal flaw of the proposed bill not as privacy, but rather its inability to prevent attacks. A recent piece on The Intercept describes how many of the large attacks that occurred recently were a result of factors that CISA would not prevent, like inside jobs, out-of-date servers, weaknesses in security, or, in the case of the Target and Home Depot hacks, security experts simply overlooking installed malware. What many of these security breaches and hacks boil down to is human error.
One of the most targeted spots for hacking is through personal emails. This year, CIA Director John Brennan had his personal email hacked by a teenager. By tricking Verizon into giving him customer info, the hacker and his associates were given what they needed to gain access to Brennan’s AOL account. The account was hacked, disabled, reset, and hacked again three times over before they themselves called Brennan to alert him.
But offices like Director of the CIA aren’t the only targets. Individuals and corporations are also targeted by the same types of social engineering for things like identity theft and money schemes, or to obtain information leading to serious data breaches for corporations and government agencies. Sensitive emails were hacked at Washington think tank The Heritage Foundation recently, and several documents containing private donor information were stolen.
In addition to personal email accounts, popular file-sharing technologies that use similar security measures to emails, like Dropbox and Google Drive, are susceptible to the same tactics, making enterprise collaboration particularly vulnerable, both in-house and business-to-business. If sensitive information is being passed between departments or through collaborative efforts between companies, secure sharing is the first line of defense against data breaches.
Aside from assuring proper security measures, either in personal services or within an organization, the best defense against human error is to be informed. Kroll identifies some key measures that go beyond IT security solutions when attempting to guard sensitive data:
- Have protocol in place to identify and report red flags
- Establish a loss protection plan
- Be educated about sensitive data and how to handle it
- Conduct routine risk assessments
- Hold third-party partners and vendors to the same standards
By combining the efforts of proper security measures, secure sharing practices, and proper education, our emails don’t have to be the easy point of access behind data breaches. Though a person or company can never be 100% immune to attack, knowing the right way to handle sensitive data and where to spot the warning flags makes us that much closer to thwarting any attempts.