Hyperbole apart, recently held elections across the world have imparted critical lessons on data security. One important aspect that stands out is the significance of data in emails that threaten to mar political campaigns and even elections. The other important lesson is how exposed confidential data can be hazardous to any organisation.
For instance, a team of ethical hackers at a cyber security conference unmasked a series of vulnerabilities that would allow a cyber-criminal to hack into e-voting machines systems. During a session at the event, the ethical hackers managed to hack into and take control of over 25 commonly used terminals in a matter of minutes. A number of these machines were found to be running outdated and insecure software with easily exploitable ambiguities in their hardware, including poorly implemented security settings. As these machines were hacked through a Wi-Fi connection, the hackers discovered that the password used to secure these systems was ‘ABCDE’.
Data protection experts opine that political parties are exceptionally vulnerable to cyber-attacks because they gather a large amount of classified information across multiple gadgets, including elaborate and systematic communication plans of action, membership data, benefactor particulars and financial information. And in most cases, as can be seen by the above mentioned instance, not much thought is given on how the data is stored.
All it requires is a simple malicious email aimed at a naive, busy individual, or a malware-containing USB stick linked up to an election-related device, thus presenting the hacker with easy access to everything on the system, especially if the network is on ‘open access’ settings.
A lot can go wrong with emails. Individuals can intentionally or unintentionally infringe on organisational email policy, thus enhancing dangers to themselves and to their associates. As was seen on the email-based attacks on certain parties during the US presidential elections, even those people who hadn’t violated any policy stood to lose from the data exposed in emails.
Democratic nations in today’s world have a clear battle on their hands to safeguard the integrity of their elections and thus in that regard a number of modern democracies are now following up on effective defense strategies while making substantial investments in building up their cyber security.
Besides better compliance, it is also important that nations as well as companies implement robust policies. However, we still encounter massive risks and hindrances. Since emails are not likely to disappear, it is imperative to begin with policy compliance.
Every individual engages some form of an email policy, whether right or wrong. For instance, a good policy would be to keep login identities and passwords under lock and key. Similarly changing passwords regularly to safeguard from unseen disclosure is another good policy. Every organisation has some form of email policy that corresponds with their organisational prerogatives, for example systems control over business-related intelligence. A good organisational policy compliance is one where businesses do not encourage or sanction flow of confidential organisational information through personal emails.
To maintain business continuity and data security every organisation must report, identify and rectify data and information system faults in an opportune manner. Organisations must be held responsible for ensuring compliance and not leave it to the individual user. Unfortunately recommended email security policies are rife with problems. Although an employee is not supposed to violate organisational security policies, it often takes place. This lesson was learnt at a great expense in the recently held US elections.
If a given set of compliance policies are inadequate in providing requisite email security, it is obvious that better policies are needed. For confidential data, companies might consider adding and enforcing an encryption and email signing policy. Most individuals are lax in digitally signing or encrypting their personal emails and the same is seen in business emails too. Adding one level of encryption increases the defence levels of security against the hacking of data on private servers. Since it is also easy to forge email, a signed email is useful in mitigating the risk of forgery. Any organisation, whether small or large, and especially one that deals with financial assets, need encrypted and signed emails as a basic security policy.
In the absence of email encryption, a hacker can easily access an organization’s data by overcoming the security system of even one server. When email is encrypted, however, the hacker has to try and overcome the defence of every employee’s computer before getting access to the entire organization’s data.
Every organisation that employs email must consider elevating their email policies to include encryption and signing in order to protect data. No matter the inconvenience caused or extent of the learning curve, the danger is just too great.