Will yours be next?
By Damian Funnell
By now you’re probably aware that Phil Goff’s personal email account was allegedly hacked and, according to the New Zealand Herald, someone tried to sell tens of thousands of his emails. These emails purportedly included a ton of sensitive personal information and confidential emails.
Mr Goff said most of the emails were "of very little significance". Of course, a number of public figures have definitely had their email accounts hacked.
As I’ve written about previously, John Podesta, chair of Hillary Clinton’s 2016 presidential campaign, had his personal Gmail account hacked by a shady group of Russians, resulting in over 20,000 pages of his emails being plastered all over WikiLeaks. While it is impossible to know if these messages were doctored before being posted, it’s very likely that this breach changed the course of history by contributing directly to Clinton’s loss and Donald Trump’s presidency.
Lots of examples
There are dozens of domestic examples that I’m aware of, including the hacking of email accounts belonging to public figures (anyone remember Whaleoil?), businesses and professionals from around New Zealand. Most of these hacks are kept confidential for obvious reasons, but it’s always distressing to see how disastrous they can be to the victim, both commercially and personally.
And not everyone knows when they’ve been hacked. We’ve helped several customers recently who have not only had their mailboxes hacked, but the hackers have set up ‘forwarders’ that forward the victim’s incoming email to the hacker’s account, effectively allowing them to continue siphoning information from the victim’s inbox.
Why does this happen? Is email insecure and should we be using it at all?
Put simply, these hacks occur because the targets are complacent and, based on the stats, you probably are too.
If we are careful and responsible then yes, email is secure enough and most of us rely on it. Getting rid of email is not an option, but if we’re smart then we shouldn’t need to.
The hacking industry
Hacks of this type are becoming more and more common because hacking is becoming a bigger and bigger industry. There are more hackers than ever before and we can no longer consider ourselves too small or too insignificant to be hacked. According to Cybint, 43% of cyber attacks in the United States targeted small businesses and that number is growing. The legal fraternity is a particularly popular target for hackers as lawyers’ email accounts often contain a treasure trove of valuable information.
We also store more email than ever before, which makes our email accounts that much more valuable to hackers. It wasn’t too long ago that Hotmail provided a puny 2MB of mail storage and we all had 50MB mailboxes at work. This forced us to continually archive and/or delete old emails to keep our mailbox sizes down. Now, mailboxes are much larger or even unlimited in size and we no longer have to delete anything, which is great. While this makes our inboxes more valuable to us (I can instantly search through every email I’ve sent or received over the better part of 20 years) it also makes them more valuable to hackers looking for sensitive or financial information.
Helping keep your mailbox secure
Here are a few tips for keeping that growing mailbox secure:
Stop being complacent. Almost everyone I talk to who has been hacked tells me that they knew better, but they just didn’t have time to improve their email security.
Seek high-quality professional advice. Ask a professional to review your email security at least once per year, preferably every quarter. If you already have an IT provider (in-house or external) then get a third party to come in and audit their security processes on a regular basis.
Don’t use your own email server. Use secure cloud-based services such as Google G Suite instead. It doesn’t matter how many firewalls or other security measures you put in place – if I gain physical access to your server I’m almost certainly going to gain access to ALL of your company’s emails.
Don’t use insecure email services. There have been numerous high-profile Xtra service and security failings over the years and its reputation is appalling. That someone with Phil Goff’s stature would be using it at all is beyond belief and it demonstrates very poor judgement on his part. There are a significant number of barristers and solicitors in New Zealand using Xtra or similar ISP-provided email accounts for their practices, which is downright scary. Use your work email account for work-related emails and use a secure email service, such as Gmail, for your personal email.
Use anti-SPAM and antivirus filters. All email should be filtered to remove as many nasties as possible before it lands in your or your colleague’s inboxes.
Keep your work and personal email separate, but make both accounts secure. Your personal account is still likely to contain sensitive information, such as credit card and bank account numbers.
Don’t open attachments or click on links unless you’re 100% certain they’re safe. According to Verizon, 94% of malware is distributed via email. Be suspicious by default. Even if the message comes from someone you know think carefully before you open it or before you click on that link. Ask your IT security provider for advice if you’re not 100% certain.
Delete old email accounts, as every account comprises a security risk. If you have unused accounts of your own, delete them. If employees leave the practice then ensure that their accounts are deleted promptly after they leave. You should never keep an email account intact as an email archive – there are much better and more secure ways of archiving mailboxes.
Use a strong and unique password. This is so obvious, but I’m always amazed at how lazy and complacent people can be when it comes to passwords. It’s easy to create a strong password that’s easy to remember and you can use a password safe to keep track of your passwords if you need to.
Use two factor authentication (2FA). This prevents unauthorised users from logging in to your email account, even if they have your password. If your email service doesn’t provide a 2FA option then move to a different service. Every work or personal email account should be protected by 2FA.
Delete sensitive email. I don’t do this as I have confidence in the security measures that I put in place to protect my email account. If you delete sensitive emails then they can’t be accessed by hackers in future, however, so it’s an option worth considering for extremely sensitive communications.
Secure your devices and encrypt local mail storage so your mailbox won’t be compromised if someone steals your laptop or cellphone.
It’s not difficult to keep your email account secure – you just have to decide to act now rather than wait until it’s too late.
Damian Funnell firstname.lastname@example.org advises lawyers and law firms and is the founder of an IT services company, and panaceahq.com, a cloud software company.