The White House recently revealed details of a disturbing breach of their own cyber security, proving that cyber attacks are not limited to the private sector. Government sources allege that Russia was behind an email spear phishing attack at the State Department. As a result, hackers were able to gain access to non-public sensitive data, including details of the president’s travel schedule in real time. According to one official the attack began last October. Subsequent attempts to upgrade security of the system proved unsuccessful. In fact, it is not clear whether or not the hackers have been fully removed from the State Department networks as of today. It does not appear that there was any breach of classified documents.
Private and state public organizations can learn several lessons from this incident. Prior to the breach, it appears that the White House embraced a familiar technique long used by cyber security experts. They made a calculated decision to categorize and prioritize which data received the most security resources. According to President Obama’s deputy national security advisor, the White House deliberately used a separate email system for its most sensitive documents. As a result, the hackers were unable to access classified information.
This event also raises the need for training for all employees to become aware of spear phishing, a common technique used by hackers to gain entry to private computer networks. This targeted attack begins when an unsuspecting victim opens an email attachment or clicks on a link that appears to come from a familiar coworker or friend. Once opened, malware attaches to the browser, and the network is attacked. It is unclear what training, if any, was provided for State Department employees.
Cyber attacks are becoming more common even among government agencies. It is important for the country’s public and private sectors to take heed, regardless of size or industry the impetus for a data breach is always looming as was seen with Sony and Home Depot.
Click here to learn more about reducing the threat of cyber risks to your business, as well as protecting your clients from cyber risk.