The NSA isn’t the only Washington organization being embarrassed by a data breach. The sorry state of cyber security in America has taken center stage in this year’s presidential election. In June, it was discovered that Russian cyber criminals had managed to hack the Democratic National Committee’s email server, stealing over 20,000 emails and sharing them with WikiLeaks. While most of the emails contain mundane correspondence, some of them are quite embarrassing and imply possible ethical violations on the part of DNC insiders, such as emails questioning Bernie Sanders’ religion and implying that party officers wished to derail his campaign. Shortly after the emails were released, the DNC’s chairperson, CEO, and communications director abruptly resigned. Even worse, the New York Times has revealed that the DNC email hack might be much more extensive than originally believed, involving the email accounts of over 100 individuals and groups.

The DNC email hack bears a strong resemblance to the equally scandalous email hack perpetrated on Sony Pictures two years ago, which was believed to have been carried out by North Korean nation-state hackers. That hack involved the release of 170,000 emails, many of them containing negative commentary about major Hollywood stars. Sony’s chairperson was removed, the company ended up being sued, and the emails are still live on WikiLeaks, neatly indexed and searchable.

While the Sony hack and the DNC email hack involved ethical and privacy violations, the release of corporate emails can damage an organization even if the employees in question did nothing wrong. Confidential information about new product launches, marketing strategies, and partnership negotiations are routinely discussed via email, and this information could destroy a company if it fell into the hands of a competitor.

Proactive Ways to Prevent Email Hacks

Both the Sony hack and the DNC email hack could have been prevented using proactive email security measures. Following are three things your company can do to prevent your emails from ending up on WikiLeaks – or in the hands of a competitor.

Train Your Employees How to Spot Spear Phishing

It is believed that the Sony hack and the DNC email hack happened after hackers used a spear-phishing campaign to get hold of legitimate login credentials. Spear phishing has become extremely popular among hackers as end users have become more aware of these scams and as spam filters have gotten better at recognizing and intercepting regular phishing emails. Because spear-phishing emails are sent to only a small group of targets and are carefully researched and crafted to appear legitimate, they tend to pass through spam filters. Therefore, the best defense is employee awareness. See our previous blog for more information on how to spot spear phishing emails.

Set Up Your System to Assign Employee Passwords

Regardless of how many times they are told not to do so, employees frequently choose passwords that are weak, and they tend to use the same password to access multiple systems, including their personal and work accounts. Thus, a hacker may be able to use an employee’s Dropbox password to get into their work email. For this reason, random, strong passwords should be assigned to employees, and the system should be set up to require periodic password changes.

Outsource Your Enterprise Email

In most cases, using a private email server for company email, as the DNC did, is a bad idea. The majority of companies do not have the in-house technical expertise to securely set up an email server, continuously monitor it for unusual user behavior, or maintain up-to-date spam filters. Large enterprise email providers such as Google and Yahoo do. While using one of these providers is not a guarantee that you will not be breached – especially in light of the popularity of social engineering – a third-party provider will offer a higher level of email security than you could achieve in-house.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.