DNC Email Scandal Shows What Must Be Done to Prevent Breaches, Leaks
First, never assume that email is private. Even though you may trust the recipient, there's nothing to prevent them from sharing your email with others. There's also very little to prevent your email from showing up in the discovery process if you're involved in a legal dispute, or from law enforcement from finding it—or, for that matter, a hacker. Second, try to find some means of communications besides email. But just know that instant messaging isn't secure, either. Once, when I was on assignment somewhere in eastern Europe shortly after the Soviets pulled out, my approach was to hold sensitive discussions while walking in the woods. You may not need to hike the Transylvanian hills, but face-to-face discussions are less likely to be intercepted than email. Just hope the other person isn't recording you. Third, since you're going to use email no matter what I suggest, don't discuss things that will land you in trouble if anyone finds out, because you have to assume they will find out. As Debbie Wasserman Schultz has discovered, they always find out. Finally, if you absolutely must discuss sensitive information by email, then at least use encryption. Ray Rothrock, CEO of security vendor RedSeal, suggests sending email using encryption, but then sending the key using some other means. This is an instance when you could send the key via Facebook Messenger's encrypted message service to decrypt sensitive email.What else can you do? You need to protect your network so you can minimize the success of a hacking attempt. Rothrock said, "Start with good hygiene and policies, and then test everything to make sure it works." Rothrock 'added it's also important to make sure that exfiltrating information is very difficult through proper network design and management, as well as through the use of the right security products. Unfortunately, for any of this to matter, policies must be in place to support the people who are protecting your email and policies about what can and what cannot be sent via email. And there must be some effort to help people understand that the price of laziness, arrogance and stupidity is very high. It can cost your job and it may hurt even worse when it damages the organization. Allowing laziness or inattention to keep you from being secure is beyond stupid, as the soon-to-be former head of the DNC has just found out.
Of course, encryption only goes so far; if it's a court or law enforcement, you may be compelled to provide the key. And if the email you're sending exists in non-encrypted form somewhere on your computer, you can assume a hacker or the FBI (or both) will find it.