Lessons from the DNC Data Breach: Cover Your Assets
IT Security has been at the center of international news for the past two months, ever since the story broke in mid-June that the U.S. Democratic National Committee (DNC) had been hacked and confidential data stolen. At least four independent security firms have confirmed that Russian intelligence hacked the DNC, monitoring email and chat communications and accessing confidential research data. By the time the hackers were removed from the DNC network in June, they had exploited access to the organization’s network for about a year.
The DNC news story became even more incendiary in late July, when just days before the Democratic Convention in Philadelphia, WikiLeaks released nearly 20,000 emails that it said came from the accounts of DNC officials. In the wake of the leaked emails, DNC chairwoman Debbie Wasserman Schultz resigned.
As these stories played out in the press, reactions were what you might expect: accusations that the breach was designed to harm Clinton or alternatively to harm Trump by linking him to the Russians; anger and dismay at a foreign nation interfering with the American political process.
I had an entirely different reaction to the news – one that has nothing to do with politics. My thinking is that this story reveals the full scope of security risks we face from sophisticated attackers. The DNC attack was not about financial gain; it was about stealing confidential information and using it to disrupt or sabotage. It may sound farfetched, but the truth is that organizations of all types are vulnerable to this type of threat. (Another high profile example is the April 2016 breach at a Panamanian law firm that leaked more than 11 million confidential client documents to the press.)
Leaving politics aside, the DNC breach shines a harsh spotlight on the risk of unprotected information assets, such as trade secrets, intellectual property, and other confidential documents. Theft or exposure of this type of data could have devastating effects on any organization. Unfortunately, because of limited time and resources, many security teams focus their efforts on protecting financial data or on securing the data required to comply with privacy laws (e.g., personally identifiable information), leaving some confidential emails and documents unprotected.
Lessons learned for IAM
All organizations can benefit from rethinking their identity and access governance programs to ensure adequate measures are in place to protect all sensitive information assets, above and beyond what is required by regulatory compliance. By classifying high-value information, such as confidential plans and strategies, market research, and competitive intelligence, and identifying where it resides – on file servers, on SharePoint sites, in cloud storage services, and in email folders – organizations can monitor who has access to it, how they are using it, and put effective controls in place to secure it.