The email hacks — not the other email problem — impacting this year’s Presidential election should be a stern warning to any small business owner.
Cyber attacks are on the rise and you don’t have to be the campaign chair of a Presidential candidate to be a target. In fact, if you’re a small business owner, you’re more likely to be targeted.
Here’s how it happened: A spear-phishing email was sent to Hillary Clinton’s campaign chairman John Podesta. An aide read the email, was worried and contacted hired expert help. Lines were crossed, a bad link was clicked, and the rest is unfolding history.
This could happen to you and while the ramifications may not have the same global impact as Podesta’s, someone would have a hard time explaining that to you when it does.
So here are 10 key lessons to be learned by small business owners from the John Podesta email hack.
Takeaways from the John Podesta Email Hack
1. Implement a Chain of Command
There will be times when security breaches are attempted. It may have already happened at your small business. If it hasn’t, it will.
Even as Wikileaks is busily dumping thousands of emails from Podesta’s Gmail account, tens of thousands of small businesses are targets of hackers. And unless you’re a cyber security expert, you’re going to need to have a plan to deal with these threats.
Outline a chain of command for dealing with cyber security threats. Let everyone associated with your company know what the chain of command is when dealing with a potential security threat. Who contacts whom and what does each person do?
2. Read and Reply to Your Own Emails
The hack started when an aide to Clinton campaign chair Podesta read this message on her boss’s Gmail account (Image via The Smoking Gun):
The message was sent to email@example.com.
So, the big takeaway here — the point at which it all begins to break down — is that if it’s your email with your name, you should be the one in charge of opening, reading, and replying to messages.
3. Typos and Errors Are Hallmarks of a Hack
If there’s one thing that usually separates hackers from legitimacy, it’s adherence to grammar and punctuation.
The header of the message at the heart of the Podesta attack reads “Someone has your password” but like that line, the email is riddled unprofessional hallmarks.
There is no punctuation in the initial warning. There is no comma or colon after the salutation, “Hi John”. And if this were a real message from Google — which it obviously wasn’t — give the company props for being vague and confusing.
What does the first sentence even mean? Secondly, there is no ask for confirmation of suspicious activity. Just a demand that the password be changed immediately.
And then, a very cordial closing to this message seems out-of-tune for the alleged severity of this message. Only a “Good luck,” would be more ignorant. Note that they did put in a comma after “Best” though.
4. Get Familiar With a Real Gmail Warning
Oddly, it was 3 days after the March 19 successful spear-phishing email that Google released information about potential “government attacks” against some Gmail users. To warn users, Google sent this message to Gmail users:
Note its adherence to proper grammar and punctuation. Notice that it doesn’t take a bossy, back-you-in-the-corner tone. Your message likely won’t be the one above but will have a similar look and feel, no doubt.
5. Read Security Update Blogs
Of course, it would have helped if Google’s warning came three days prior to this spear-phishing attempt. Google, however, has made this similar warning in the past.
If you use Gmail for your company’s email, then it’s wise to check security and other blogs directly from Google. Set up an alert or notification when new posts are created on key Google security blogs.
6. Recognize When It’s Beyond Your Realm
This is one area where the campaign got it right. And you should, too.
The aide who read the email clearly knew this was out of her jurisdiction. But it clearly needed to be addressed. After all, this message was a hacking attempt.
Reacting to this message, the aide contacted an IT professional close to the campaign.
7. Unsure? Call a Pro
Again, this is another area where the campaign got it right.
The aide to Podesta who saw this ominous message in his inbox almost immediately recognized that this could be something. So, she reached out to the campaign’s IT pro. The campaign had one in place and the right alarms were sounded when the message was initially received.
If you’re not sure what to do with a potential security threat, contact someone who will know.
8. Hire a Good Pro
In the case of the Podesta phishing attack, it appears the IT pro that the Clinton campaign had on staff or on-call was up on his information, at least about Gmail.
Make sure you get a knowledgeable expert who can offer real help at the drop of a hat. When recruiting such a person, contact a third-party who can give you vetting questions to ask your would-be expert.
9. Read Messages Thoroughly
If you’re going to pay said security expert, best hang on their every word. Underscore every.
That IT expert wrote in an email, “This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authorization is turned on his account … It is absolutely imperative that this is done ASAP.”
That message included a Google link to enable two-factor authentication on Podesta’s Gmail account. The message was sent back to the aide who forwarded it to Podesta and another aide, who ultimately read the email and acted on it.
However, the aide who acted on it wasn’t sure if — or didn’t see — the link copied by the IT expert was legit or if he meant that blue button in the phishing email.
Guess which one was clicked?
10. Pick Up the Phone, Address It In Person
Don’t let this situation up to chance. Cybersecurity is a real threat to small businesses. The first time your company is hacked could be the last.
When responding to an email threat, don’t use email to try and resolve it. Pick up the phone. Get confirmation that the right messages are being read and the proper links clicked and protocols put in place. Better yet, get on Skype and share your screens. Even better, have your expert address threats in person.
All About Protocol
Cybersecurity is likely your company’s biggest vulnerability now and in the future, at least until you address it.
A careful, consistent, and measured approach to all threats is imperative. It will stress its importance to your business to others, too.
John Podesta Photo via Shutterstock