The recent disclosures over former Secretary of State Hillary Clinton using a private email server for all communication offers an opportunity to review corporate policies regarding email use and security best practices.
Unfortunately for corporate information security, this is not an unusual situation. When deploying data loss prevention systems, it is common to find users either forwarding their corporate email to non-company servers, or sharing confidential email contents inappropriately.
In an ideal world, the ping-ponging between corporate and personal emails and servers would never take place, thus reducing security issues and IT headaches. In reality, the Bring Your Own Device (BYOD) trend has, if anything, exacerbated the problem. Undoubtedly Mrs. Clinton is simply one of hundreds of thousands of individuals who have used corporate email for private use, or vice versa. Until a cultural change towards the separation of corporate and private email usage is embraced, security vulnerabilities will remain. However, there are several key considerations that an individual, corporation or IT department should keep in mind.
Among best practices for information security applied to email are those recommended by the SANS Critical Security Controls: inventory of devices (clients), secure configurations for servers & clients, continuous vulnerability assessment and remediation, data recovery capability, well-maintained firewalls, controlled administrative access, monitoring of audit logs, account monitoring, data protection, and active testing of controls.
Ultimately, Secretary Clinton’s decision was a poor security choice. Corporate email stored on non-corporate servers places the organization at multiple risks. If the outside servers are not managed and monitored, it is easier for outside attackers to compromise the server and its contents. Numerous tales can be found on the net about personal email accounts that have been hacked and the contents stolen.
When non-corporate email server hardware is upgraded or disposed of, it is unlikely that the old hardware will be appropriately wiped or destroyed to prevent information compromise.
As if the threat of information disclosure at an unsupported outside email service was not bad enough, unauthorized email accounts may be subject to different legal protections and nation-state monitoring protocols than corporate accounts. An employee involved in a personal legal matter may have a personal email account discovered (in legal terms) and reviewed.
High-profile free cloud email services such as Outlook, Gmail, and Yahoo manage general security issues, but many other issues are left up to the individual end-user: account password access & monitoring, data protection, and management of the devices used for access.
If your company does have an email policy in place, it would be a good time to review the policy to make sure it covers current issues, including use of outside servers or cloud services for company business. If your company doesn’t have an email policy in place, sample policies are available online that could be starting points. One such policy is available from SANS and includes language that covers the points noted in this article, including using outside servers or cloud email for company business.
After your executives agree to an email policy, be sure to educate employees about the policy, put appropriate measures into place to monitor & enforce the policy, and offer to help transition any employees with out-of-compliance email back into compliance. With policies in place and ample training available to employees, we can help implement a cultural shift towards safer use of both corporate and private emails.