8 Lessons to be Learned from the Recent DNC Hack
Author – Galina Datskovsky
A few weeks ago we saw yet another email scandal. The Democratic National Committee (DNC) emails were hacked and over 19,000 emails were made public during the convention. The revelations lead to the resignation of the chair of the DNC and dominated the discourse during the opening night of the convention. It is amazing that in today’s world, after the revelations of the Sony emails, anyone would still write emails of this sort. Whatever happened to the old saying, “if you don’t want it on the 5 o’clock news, don’t put it in an email!” It seems like there is a general feeling of “it won’t happen to me” that permeates many organizations. So what is one to do?
Well first, there is no legal or regulatory obligation to retain certain information. When that is the case, what is the purpose of using email to communicate, especially when it is temporary in nature, as most of the DNC information looks to be. What is the purpose of creating records when none are needed or operationally required? Perhaps that goes to the complexity of training people on when to use various means of communication. Email is one of the largest targets for any hacker, so why create email when unnecessary? When a file or another attachment needs to be sent, or when a record needs to be created, email may well be the best means of communication. When a record is required, but needs to be kept extra secure in a specific repository and further, it needs to be the only copy of record. Or when no record is actually required at all, and written communication is simply used because no one wants to pick up the phone. Policies and training are needed for all scenarios and communication channels.
Here is where secure ephemeral messaging comes in. Many of the conversations that were had could have been performed over secure text. Technology today provides for secure, private conversations and even compliant ones. These secure conversations prohibit sharing of information, protect against screenshots and are ephemeral in nature. Information is not stored on devices nor servers, eliminating the fear of hackers and remove the content from the devices and servers to further eliminate security risks. As organizations are reviewing options for communication channels and use, Secure ephemeral messaging should certainly be included in the mix.
In short, however, every organization should clearly learn the following lessons from the DNC hacking situation.
1. If you do not want to see it in the news, NEVER put it in email2. Be very clear about sanctioned corporate methods of communication and when to use each one3. Do not become complacent and say you cannot train your people on when to use various means of communication. It is much easier to do that than to suffer the reputational damage.4. Store information that is required in a secure corporate repository, not on everyone’s laptop or mobile device. Those repositories are easier to secure and protect.5. Use ephemeral messaging for items you do not want to lose control of.6. Do not give third parties the ability to store any of your information that you do not want them to store. Send items in a way that has them expire.7. Train your employees and contractors on what applications to use and when to use them.8. Live by the principle that most people do not understand security and privacy and make it an integral part of your culture.
These 8 easy steps would have helped the DNC avoid the public embarrassment they suffered and will continue to suffer as their emails are released. Every organization should learn from these very public mistakes and avoid the same destiny.