LESSONS FROM EMAILGATE

Commentary from the Dow Jones Cybersecurity Newsletter

FBI Director James Comey announced this week that Hillary Clinton will not face criminal charges for her use (or misuse) of a private email server. The statement contained some cybersecurity lessons I highlighted for Infosecurity Magazine, including one in particular regarding the potential future sensitivity of emails.
 
Around 2,000 emails sent or received by Mrs Clinton were subsequently ‘up-classified’ to ‘Confidential’, either because the contents became more sensitive over time or as a result of the combined sensitivity of multiple unclassified messages. All employees, and especially executives, must recognize where subjects of communication could become commercially, legally or reputationally damaging if publicly disclosed.
 
Hackers, including those working for nation states, often target email inboxes of senior executives once they have compromised a network. It allows them to identify the most important corporate issues and steal high-level executive briefings rather than having to locate and analyze tens or hundreds of more detail-oriented documents. Where attackers discover potentially valuable information, more in-depth targeting of the details could follow.
 
Raising staff awareness of the need to identify sensitive subject matter early on and providing options for protecting it is a challenge for CISOs and CIOs. Effective controls to protect information, for example encryption or a secondary secure communications channel, should not hinder the user otherwise they will simply be ignored. Applying controls and relaxing them later is far easier than attempting to implement them retrospectively. At that point it may already be too late.

**This article was originally published as part of the Dow Jones Cybersecurity Newsletter, a weekly digest of news with commentary and analysis. Sign up for free at http://eepurl.com/b2BOdT**