Hillary Clinton’s personal email workarounds during her term as Secretary of State have received much scrutiny in Washington and in the media.
All the political rhetoric aside, a question remains:
Why was she allowed to run her own email server? How could an employee dictate email security policy to IT?
Ready for the answer? Special treatment isn’t reserved only for senior politicians. Personal email workarounds could come back to haunt your organization, too.
Whatever happened (or not) on the privately hosted server that Hillary Clinton used to keep her personal email apart from official missives while she was serving as Secretary of State, one issue deserves more attention:
Why was she allowed to set up her own server in the first place?
Until today, nobody had really asked that question. Cybersecurity pioneer Gene Spafford (Purdue University), whose interview with Bank Info Security I highly recommend, highlights the fact that policies are out of sync with users.
Like any other sophisticated organization, the State Department had clear policies in place regarding the use of personal email accounts for work. As reported by Politico, the agency’s policy stated:
“It is the Department’s general policy that normal day-to-day operations be conducted on an authorized [Automated Information System], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information.” That policy had been in place since 2005.
In light of such a clear policy, why would the Secretary of State go to such lengths? Her explanation (whether you agree with the motive or not) rings true: Mrs. Clinton has stated that she didn’t want her personal email to be accessible by the State Department, or subject to Freedom of Information Act disclosure.
That may be an understandable motivation for someone in her position. Users often want privileges that are at odds with IT requirements. But could you imagine a lower level staffer in the State Department trying to pull off the same shenanigans?
Rank has its privileges. At a certain level in an organization policies are one thing, enforcement becomes another. When you’re the boss and have to be “always on”, the line between work and personal life tends to blur.
Google “incriminating email”, and you’ll see a treasure trove of email threads that have resulted in fines or jail time for executives using work email for inappropriate activity. So the motivation to separate personal from work email makes sense.
A personal email policy for the boss...
Hillary’s ability to bend policy was so strong that not only did she keep her email off of State servers, she also had the State IT team change their systems to ensure delivery of messages coming from her personal account. When particular messages were routed to the State spam folders or weren’t delivered, the State Department IT team turned off certain content filtering and scanning functions so her messages wouldn’t get flagged.
State's IT team agreed to this configuration change only haltingly. After all, the filters had blocked malicious content in the recent past. Clinton’s personal email activities put the entire system at risk.
With this magnitude of a shift - where users determine what assets to use for sensitive communications - data breaches are soon to follow. Despite Clinton's protestations to the contrary, the FBI found that 110 messages contained information that was classified at the time it was sent. Add this to the thousands of other sensitive or other messages that were retroactively marked as classified. Her workaround put State Department information assets at risk.
Politicians don’t have a monopoly on email privileges that live outside of IT policy. “Most board members use personal email accounts [while on the job] to handle board communications so they don't get mixed with the emails from the companies where they work,” In a story titled “Spearphishing Attacks Target Boards”, CSO Online recently quoted Michael Bruemmer, vice president for data breach resolution at Experian Information Solutions: "These [personal email accounts] are less secure, and we have seen examples of these accounts having been compromised.”
My company, Authentic8, frequently encounters the personal email use issue in our dealings with large organizations - on all levels, across the public and private sectors.
...is now the rule that puts the shop at risk
What we’ve found is that these workarounds, tweaks, or oversights to allow email access are not a rare exception. Because policies often get in the way of getting things done, the exceptions have become an unofficial rule.
That’s a dangerous development. It’s not like the risks that drove the policies in the first place have been reduced - in fact, threats have multiplied:
- “Phishing” and other business email schemes targeting senior executives are skyrocketing. According to the FBI, U.S. companies reported damages of more than $3 billion in 2015.
- Malicious software like spyware and ransomware, distributed via large-scale automated attacks, is infiltrating corporate networks and critical infrastructure, from law firms to local energy utilities. Unsuspecting users click on booby-trapped email links and unwittingly download and activate malicious code that then spreads through their organization’s network.
- Strict compliance requirements for publicly traded companies, especially in highly regulated industries like banking or healthcare, force IT administrators and inhouse counsel to maintain detailed documentation of email communication on behalf of the organization.
What Hillary Clinton’s personal email saga illustrates better than anything is the lengths users will go to in order to bypass restrictive IT policies.
Enter Silo, the secure virtual browser developed by my company. Instead of trying to balance restrictive policies with the needs of the user, we have designed Silo to fully reconcile IT security requirements with the way people get their work done.
Most personal email accounts are accessed through a web front end. Regular browsers fetch and process code from the internet on the local computer. If you use a work-supplied computer to access personal webmail, that means your data may be cached on a machine IT controls. Work data get mixed with personal data, which may become subject to disclosure. Or worse - any malicious content in any email or link that you click while in that browser may corrupt your machine or network.
How a secure browser reconciles IT and user needs
Silo eliminates these risks with a virtual browser that runs in the cloud. Instead of executing web code locally, all web content stays in a secure remote container, with only the display of the web session being delivered to the user.
- For users, Silo provides the same rich web and webmail experience they know, but with perfect insulation and anonymity when they access the web.
- For IT, Silo makes it possible to give users access to their personal email and web resources - without risk of data leaks, infection, or policy violation.
Silo has become the secure browser of choice for leading financial institutions, law firms, healthcare providers and federal agencies. And because of its configurability and policy controls, Silo can accommodate even the most complex use cases, like Hillary Clinton’s, without running afoul of established policies.
Silo gives users the ability to balance their work life with personal needs without putting the organization at risk. Or, as in this case, national security.
Try it yourself for free:
About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.