The first rule of cyber security is identifying what data you need to protect and where it resides. Hillary Clinton was using private email for official business and her sensitive files exist on a backup server not controlled or protected by the government’s IT staff. Now a high school student reportedly used social engineering to call Verizon, reset the password to CIA Director John Brennan’s email, and was able to gain access to emails and attached documents that contained information about interrogation methods, security clearance, and records of agency staff.
Think about the types of data your organization likely maintains that may not be protected under a compliance mandate – including personal data on staff, client information, proprietary data on your pricing or processes. Even if you do maintain financial accounts, credit card data and/or medical records and feel you have adequate controls via compliance requirements, have your staff from the CEO to the mail room all been given ongoing cyber security awareness training? It may seem obvious not to send a credit card number via email, or upload a medical file to a publicly accessible internet share, but it happens all the time – usually because the user is not aware of the exposure they are creating by doing so.
Of course there are technical controls that can be put in place as well, but they cannot remove the need for well-written cyber security policies and training around those policies and procedures for ALL staff. And sharing of stories like the CIA hack, explaining how it happened, and driving home the reason why everyone needs to understand cyber security.