Email & personal devices: portals for Hackers
- Legal Counsel & curbstone Advice
- Crisis Management
- Trials & Litigation
- Technological competence: Ethical obligation
- Cyberlaw primer I. Cyber-risk
- Cyberlaw primer II. Cybersecurity
- Introduction to E-Discovery
- Are you aghast over hacks at “top” law firms?
- Due diligence and cyber risk
- Negligence liability for datasecurity breaches
- breach logs
- Cyberinsurance coverage terms
- Cyberinsurance and the SAFETY Act
- Data analytics, bribery and corruption
Email Accounts and Personal Devices are Portals for Hackers
- A hacker accessed the personal email account of CIA Director John Brennan and WikiLeaks published some of his emails.
- A South Carolina Health & Human Services employee downloaded personal information about more than 220,000 Medicaid beneficiaries into his personal email account.
- The US Veterans Administration and the federal Office of Personnel Management admit to losing millions of sensitive files and all the personal and confidential data they contain. …
We may have become accustomed to the idea of cyberattacks on businesses and government, but many cyberattacks now target individuals who either take data from a secured environment and place it in a less secure environment, or initially create a personal unsecured environment where they hold sensitive data.
Hackers now may simply hack the personal email accounts of individuals within an organization rather than try to penetrate the complex security systems of the organization. Documents that would have been purged if they
had been stored on a company or government server often continue to exist on personal email accounts. Not only are they discoverable and subject to subpoena in litigation or government investigation, they can be hacked without a great deal of difficulty.
Many corporate executives who are expected to stay connected 24 hours a day have vulnerable email accounts.
Hacking online email storage accounts and personal devices such as smartphones and tablets requires much less skill than is required to penetrate the enterprise level cyber environment. Such hacks often find sensitive documents that executives have downloaded to their personal devices for reading at home, at public wi-fi locations, or while traveling on planes or trains.
Many executives use their personal accounts to access work-related documents from any location and their individual personal accounts may become easy targets for hackers.
Many businesses and almost all government agencies make it easy for hackers to identify their targets by posting directories, often featuring the names, photos and job descriptions of executives on their websites.
Hackers often assemble information gathered from multiple hacks at different times. Seemingly isolated and random incidents may be neither.
Financial gain or compromise of national security is not always the motive for hacking individual executive accounts. Often the motive is simply a desire to cause embarrassment.
Can anything be done?
Access to sensitive data is not always limited to top executives but often becomes accessible to administrative and executive assistants as well as IT personnel conducting routine operations.
Sensitive information must be encrypted as it is created and then accessible only from properly protected accounts on protected devices.
Millions of smartphones and tablets are lost or stolen each year. Any data on them must be encrypted and otherwise protected from unauthorized access. The best protection, however, is to never store sensitive data on personal devices!
Organizationwide cyberaudits are critical elements of any Cybersecurity program and must include gathering information from all employees particularly top management about how and when they create, access and store data.
Everyone at every level in an organization must report all suspicious occurrences regarding all company and personal email accounts, data storage accounts and devices on which enterprise data is created, accessed or stored. While technological protection is imperative, it is the people in an organization or enterprise who really maintain cybersecurity. No employee, including the chief executive, should put the security of company or government information at risk just for personal convenience!