We’re always reading about the clever hacks of data networks perpetrated by exploiting any of the hundreds of bugs in Windows, Unix/Linux, Mac OS and so on. Indeed there is now a giant market for companies that offer penetration services: that is, white hat hackers who will, for a fee, systematically attack a client’s network looking for these security weaknesses.
John Owen Brennan, victim of email hack
Back in May, I wrote a couple of blogs about Kevin Mitnick, the world’s most famous hacker. I’d just read one of his autobiographies and was surprised that despite all his multitude of technical skills, Kevin relied most on two easy hacking strategies: social engineering, and reading other people’s emails. Consequently when I read that CIA Director John Brennan’s email had been compromised using these two strategies – according to the New York Times, by a lone teenager – I was not surprised. Allegedly, the hacker simply called up workers at Verizon – owners of AOL, Mr. Brennan’s email provider – and impersonated one of their colleagues. The story could have been lifted straight out of Kevin Mitnick’s playbook. Experian’s Annual Data Breach Industry Forecast found that “employees and negligence are the leading cause of security incidents but remain the least reported issue.” Why are these incidents usually not reported? It is human nature: We rationalize life occurrences to make ourselves feel comfortable. If an employee is central to a data security incident, he “must have been stupid.” All we have to do is weed out the stupid people and our data will be safe, yes? Yet do we know for sure that had we been one of the Verizon workers answering the phone to the teenage hacker, we would have done anything different? I do not claim to have insider knowledge of the regular work patterns at Verizon, but I can imagine a situation where colleagues are constantly calling each other and exchanging the types of information that led to the teenager accessing Mr. Brennan’s email. Why blame an individual for doing what most individuals in that environment will do normally? Why not change the processes instead. Likewise I am reminded of the many, many times that dedicated employees of businesses have accidentally sent sensitive information in emails to the wrong people. Remember that Experian report: “employees and negligence are the leading cause of security incidents but remain the least reported issue.”? Again, we tend not to blame the work environment. Instead we are more comfortable blaming the individual, and reporting that “Johnny made a mistake – I’ve reprimanded him – and he’s promised never to do it again.” We don’t report the incident outside our company because we think Johnny’s mistake is unique to him. So just what is the answer? Automation. Employees are busy doing what they’re hired to do: adding value to your business. If we force them to second guess themselves all the time, to stress over whether or not to encrypt each individual email, or if the attachment should be sent or not sent, our business will soon grind to a halt - and be out of business. Automation makes all the encryption and data loss prevention decisions for your employees. It takes away the stress and the hassle factors, allowing your employees to get on with what they do best – their work. Learn more about automated email protection by clicking here.