Last week, WikiLeaks posted a treasure trove of internal emails from the Democratic National Committee (DNC). The leaked emails demonstrated a clear bias within the DNC against Bernie Sanders and for Hillary Clinton, when the organization claimed to be neutral. The incident:
 
  • Confirms two of our 2016 cybersecurity predictions:
    • In 2015, we predicted that cybersecurity would become a major issue in the 2016 US presidential election. Not only have candidates discussed cybersecurity issues such as encryption throughout the debates, with the DNC email leak, cybersecurity itself is taking center stage in the election and influencing events. It is worth noting that hacking during election season is not purely a US-related issue. The entire voter registration database of the Philippines, which included fingerprint data, was hacked this spring.
    • We also predicted that an executive would need to step down due to a cybersecurity breach. As the result of the embarrassing emails, the DNC chairwoman, Debbie Wasserman Schultz, has announced her resignation at the end of the DNC convention.
  • Provides important lessons for CISOs across industries:
    • View cybersecurity as a business issue, not an IT issue. Poor security not only leads to massive breach costs and years of litigation, but it undermines customer/voter trust in your organization — the consequences of which can be far more damaging and long-lasting because they affect your ability to win and retain these customers/voters. How you handle the breach affects your reputation, but the contents of the breach will also affect your reputation. There are going to be emails and info that in context or out of context will cast your organization in a negative light. Take Sony, for example. How many of those emails were either taken out of context or exposed sensitive communications — like salary negotiations? Don’t treat breach response planning as solely a planning exercise for the security team.
    • Don’t focus too much on attribution. The Clinton campaign has claimed that Russia is behind the attack. There are conflicting reports about whether this is true, and in the end, while the public awaits a final determination, the damage is done. The chairwoman of the DNC has resigned, she is no longer speaking at the convention itself, and now the DNC must work even harder to ensure that angry Sanders supporters continue to support the party’s nominee. It’s more important to focus on your response to the breach and how you will repair customer/voter trust than it is on attribution. Maybe Russia was behind the attack — this makes the DNC a victim of a foreign government wielding cybersecurity to influence geopolitics — but it likely doesn’t appease Sanders’ supporters.
    • Understand the business value of the data in your organization. The leaked emails also contained the personal details of party donors and all the ammo the DNC had against Donald Trump. When it comes to data, CISOs must remember the 3Ps — Personal Data, Payment Card Data, and Intellectual Property (IP). You must know where this sensitive information resides in your organization and how various stakeholders use, share, and disseminate it. A breach of the first two P’s undermines customer trust and leads to huge remediation costs; a breach of the last P can significantly erode your competitive advantage because it reveals the guarded secrets of how you go to market or how you develop and deliver your products or services.
    • Ensure you have visibility into your network. Most organizations don’t have insight into what’s going on inside their networks. This blindness makes the attacker’s job easier. CISOs should ensure they’ve deployed security analytics tools that can help their teams spot the tell-tale signs of a breach in progress — before someone else does.
    • Don’t forget the human element. One of the most interesting reveals of the WikiLeaks dump are the emails suggesting that the DNC had moles inside the Sanders campaign feeding them insider intel. This is old-fashioned spycraft exposed via hacking — the intersection of the physical and cyber worlds. This also raises the question — how was the Sanders’ mole able to feed intel to the DNC? By definition, insiders have access to your most sensitive data. When insiders become malicious, they can inflict irreparable damage. CISOs need to have initiatives in place specifically to hunt for and deal with insider threats.
    • Don’t assume email is private. Assume that your email can be hacked by an external attacker or compromised by a malicious insider. Consider what information in your corporate emails could be damaging if released. What information about your business, your processes, and your employees might be revealed that would paint your organization in a negative light? This should dictate when to use security controls such as encryption and also what kind of sensitive information should be communicated over email at all. Sony CEO Michael Lynton has stated that in the wake of his company’s data breach, he now communicates less over email and more via fax machine. According to Lynton, “Sometimes slowing things down for a minute, that’s not the worst thing in the world, either. What you say in haste at 3 in the morning — which was often the case of what showed up in some of those emails — is not necessarily the best way to say what you want to say.”