Data Security (Inc. Data Loss Prevention), Cyber Security, Privacy, Website Security, Email Security, Malware/Viruses, Open Source Intelligence, Cyber Security/Product Training

Mrs. Clinton’s private mail server scenario is not actually as rare as you may think

Firstly this is not a political article to explore or voice opinions around: who is a better candidate, who is more spiteful, who will win or if the media is biased to one side. Reports clearly state Mrs. Clinton run her own non-government sanctioned mail server. The mail server was run by non-IT security experts and various security holes have been reported.

Imagine you are the director-general of Mi6, secretary of state for defence or the CEO of a multinational pharmaceutical business, and you use your own Google Mail, Hotmail, Yahoo Mail or private mail domain server account to conduct work business. Wrong it seems but cases similar to Mrs. Clinton or the examples listed here do happen fairly frequently.

It is called “shadow information technology” and the “industry” is worth hundreds of millions globally. Look around offices of all sorts and you will likely see wireless access points or modem-routers which take you straight out to the internet without filtering. Why? IT security policies can sometimes be too strict or are deemed to be too strict so people go around them.

Often email or instant messaging tools do not offer “enough” collaboration so people go and find their own free cloud tools often hosted in the USA to go around company platforms to chat and share company documents. DropBox, Google Drive, Box and others are often used by developers without security staff knowing. "Approval" is granted by non security staff.

One anonymous story which I will share was when a senior board member (no title!) put a change request in to get all his or hers company emails forwarded to a company mailbox at another company in a separate industry. The request was denied but in many cases senior management simply just do it without asking, thinking they are above the law. Personal hotmail accounts and USBs are often used for months or years without anyone knowing.

All of the examples listed above are bad for two reasons: security and compliance (think of some of the United Kingdom’s Data Protection Act eight principles). In the past and likely as we speak members of the board of management are targeted (“APTs”) to access company information stored on personal kit. Why? Protection on personal kit is lower than that of the protection at work.

The solution?
  • Amnesties: run from time to time an amnesty so people can hand in non-secure USBs or report on the usage of non-approved cloud services.
  • Communication: people may go behind you since they do know who you are or think your policies are too strict. Be approachable and fair. Run campaigns and training.
  • Monitoring/blocking: potentially counterproductive to an extent. Simply block USBs, non-approved file transfer or collaboration websites. Putting a written policy out will not stop people bypassing the rules. If someone approaches you, you need to be friendly and fair so the security department is not seen as an evil business blocker. Known non-approved sites should be monitored to see if anyone is violating the policy.