How email hacks teach us what email is used for.

How email hacks teach us what email is used for.

Email hacks have been around for quite a while.  Take a look at these dates.

• January 2012: Rupert Murdoch’s News International admits they hacked emails as well as phones.
• February 2013: Former President George H. W. Bush’s personal email account was hacked.
• 2010 – 2014: Then Secretary of State Hillary Clinton has her own private email server that is used for conducting government business.  The server had reportedly been attacked, perhaps even hacked from China, South Korea, Germany, and perhaps even Russia.
• 2015 – 2016: Democratic National Committee email servers are hacked; emails disclosed favoritism from DNC to Clinton campaign in presidential race. It is presumed that the hack started around the same time that the U.S. State Department and White House servers were hacked.

People, the list goes on and on, and could be a mile long with all of the hacks that are out there.  The simple fact is this:

When it comes to email, the rule is simple: never put something in an email that you would not want to see posted on the cover of the New York Times.*

Why do you think so many people fail at this very simple rule? What causes the Hillary Clinton’s of the world decide that they can circumvent proper channels and check their common sense at the door?  Here’s my thoughts on that.

1. At some level, people think that the normal rules don’t apply to them.  They believe that they can do what they want because of the position they hold.  This is not the case.
2. Far too often, IT staff jump to the conclusion that they can keep the hackers from committing their email hacks on their people.  The simple fact is if the target is high profile enough, the hackers will keep at it until they succeed.
3. Society has become too dependent on computers and technology.  What used to take place via a phone call or an in person meeting is now being handled by an email. Technology is great, but it has it’s place in society. We have blurred the lines way to much, and it is proving costly.
4. The financial gain is so great.  What causes email hacks to happen is partly because there is so much profit to it.  In the News International experience, it was to drive ratings and insider information to sell papers, among other things.  In government hacking situations, it was to discover state secrets that could lead to one country having an advantage over another.  In the Clinton email server, I believe that was done so that she could maintain the power she sought more easily.  In the Target hack, which didn’t involve email, the motivation was in making money off of identity theft.  In all of these instances, there is a perceived gain to be had, and it is a significant gain.
5. Lastly, far too often security is an afterthought in many organizations.  Security should be one of the factors in determining the cost of doing business on the Internet.  However, in many organizations, it is the first thing cut from the budget.  Training organizations such as SANS and GIAC are fighting an uphill battle to secure the infrastructure, but when budgets are tight, training money is cut.  The end result is that too much is expected with too little investment, and that leads to email hacks.

Remember, people, there is a time and a place for email.  There is also a proper way to secure it.  It’s time to learn that, and use email the way that it is intended, not for something it’s not meant for.

*h/t to my friend and former boss Kim, who was the first person I heard use that phrase.