10 Lessons Your Small Business Should Learn from the Podesta Email Hack



What can your small business learn from the John Podesta email hack? As it turns out, a lot. Here are 10 key lessons to takeaway from this situation.

The email hacks — not the other email problem — impacting this year’s Presidential election should be a stern warning to any small business owner.

Cyber attacks are on the rise and you don’t have to be the campaign chair of a Presidential candidate to be a target. In fact, if you’re a small business owner, you’re more likely to be targeted.

Here’s how it happened: A spear-phishing email was sent to Hillary Clinton’s campaign chairman John Podesta. An aide read the email, was worried and contacted hired expert help. Lines were crossed, a bad link was clicked, and the rest is unfolding history.

This could happen to you and while the ramifications may not have the same global impact as Podesta’s, someone would have a hard time explaining that to you when it does.

So here are 10 key lessons to be learned by small business owners from the John Podesta email hack.



Takeaways from the John Podesta Email Hack

1. Implement a Chain of Command

There will be times when security breaches are attempted. It may have already happened at your small business. If it hasn’t, it will.



Even as Wikileaks is busily dumping thousands of emails from Podesta’s Gmail account, tens of thousands of small businesses are targets of hackers. And unless you’re a cyber security expert, you’re going to need to have a plan to deal with these threats.

Outline a chain of command for dealing with cyber security threats. Let everyone associated with your company know what the chain of command is when dealing with a potential security threat. Who contacts whom and what does each person do?

2. Read and Reply to Your Own Emails

The hack started when an aide to Clinton campaign chair Podesta read this message on her boss’s Gmail account (Image via The Smoking Gun):

What can your small business learn from the John Podesta email hack? As it turns out, a lot. Here are 10 key lessons to takeaway from this situation.

The message was sent to john.podesta@gmail.com.



So, the big takeaway here — the point at which it all begins to break down — is that if it’s your email with your name, you should be the one in charge of opening, reading, and replying to messages.

3. Typos and Errors Are Hallmarks of a Hack

If there’s one thing that usually separates hackers from legitimacy, it’s adherence to grammar and punctuation.

The header of the message at the heart of the Podesta attack reads “Someone has your password” but like that line, the email is riddled unprofessional hallmarks.

There is no punctuation in the initial warning. There is no comma or colon after the salutation, “Hi John”. And if this were a real message from Google — which it obviously wasn’t — give the company props for being vague and confusing.



What does the first sentence even mean? Secondly, there is no ask for confirmation of suspicious activity. Just a demand that the password be changed immediately.

And then, a very cordial closing to this message seems out-of-tune for the alleged severity of this message. Only a “Good luck,” would be more ignorant. Note that they did put in a comma after “Best” though.

4. Get Familiar With a Real Gmail Warning

Oddly, it was 3 days after the March 19 successful spear-phishing email that Google released information about potential “government attacks” against some Gmail users. To warn users, Google sent this message to Gmail users:

What can your small business learn from the John Podesta email hack? As it turns out, a lot. Here are 10 key lessons to takeaway from this situation.



Note its adherence to proper grammar and punctuation. Notice that it doesn’t take a bossy, back-you-in-the-corner tone. Your message likely won’t be the one above but will have a similar look and feel, no doubt.

5. Read Security Update Blogs

Of course, it would have helped if Google’s warning came three days prior to this spear-phishing attempt. Google, however, has made this similar warning in the past.

If you use Gmail for your company’s email, then it’s wise to check security and other blogs directly from Google. Set up an alert or notification when new posts are created on key Google security blogs.

6. Recognize When It’s Beyond Your Realm

This is one area where the campaign got it right. And you should, too.



The aide who read the email clearly knew this was out of her jurisdiction. But it clearly needed to be addressed. After all, this message was a hacking attempt.

Reacting to this message, the aide contacted an IT professional close to the campaign.

7. Unsure? Call a Pro

Again, this is another area where the campaign got it right.

The aide to Podesta who saw this ominous message in his inbox almost immediately recognized that this could be something. So, she reached out to the campaign’s IT pro. The campaign had one in place and the right alarms were sounded when the message was initially received.



If you’re not sure what to do with a potential security threat, contact someone who will know.

8. Hire a Good Pro

In the case of the Podesta phishing attack, it appears the IT pro that the Clinton campaign had on staff or on-call was up on his information, at least about Gmail.

Make sure you get a knowledgeable expert who can offer real help at the drop of a hat. When recruiting such a person, contact a third-party who can give you vetting questions to ask your would-be expert.

9. Read Messages Thoroughly

If you’re going to pay said security expert, best hang on their every word. Underscore every.

That IT expert wrote in an email, “This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authorization is turned on his account … It is absolutely imperative that this is done ASAP.”

That message included a Google link to enable two-factor authentication on Podesta’s Gmail account. The message was sent back to the aide who forwarded it to Podesta and another aide, who ultimately read the email and acted on it.

However, the aide who acted on it wasn’t sure if — or didn’t see — the link copied by the IT expert was legit or if he meant that blue button in the phishing email.

Guess which one was clicked?

10. Pick Up the Phone, Address It In Person

Don’t let this situation up to chance. Cybersecurity is a real threat to small businesses. The first time your company is hacked could be the last.

When responding to an email threat, don’t use email to try and resolve it. Pick up the phone. Get confirmation that the right messages are being read and the proper links clicked and protocols put in place. Better yet, get on Skype and share your screens. Even better, have your expert address threats in person.

All About Protocol

Cybersecurity is likely your company’s biggest vulnerability now and in the future, at least until you address it.

A careful, consistent, and measured approach to all threats is imperative. It will stress its importance to your business to others, too.

John Podesta Photo via Shutterstock 3 Comments ▼


Joshua Sophy - Assistant Editor


Joshua Sophy Joshua Sophy is the Assistant Editor for Small Business Trends and the Head of Content Partnerships. A journalist with 17 years of experience in traditional and online media, Joshua got his start in the newspaper business in Pennsylvania. His experience includes being a beat reporter covering daily news. He eventually founded his own local newspaper, the Pottsville Free Press, covering his hometown. Joshua supervises the day-to-day operations of Small Business Trends' busy editorial department including the editorial calendar and outgoing assignments.

3 Reactions

  1. Aira Bongco

    Cyberattacks are on the rise and you need to learn along with them to be able to counter them.

  2. Christopher J Tallos

    What was not covered in the story is that 100% of phishing emails contain links to addresses that are not legit. For example, even if you did click on the button which says “Change Password” the expectation should “always” be that you will arrive at the domain Google.com and it will be prominently displayed in the location bar of your browser. If it is not Google.com or the company’s common URL (e.g Facebook.com, Yahoo.com, Microsoft.com, etc.) then LEAVE IMMEDIATELY and contact a professional.

    • Joshua Sophy

      Excellent advice, Christopher.

      I think one of the big lessons we SHOULD be learning from this mess is that every small business should make cyber security — in all phases and among all connected devices — a priority.

Leave a Reply

Your email address will not be published. Required fields are marked *

*