What Business Can Learn from the Clinton Email Debacle
We live in a age where most people have smart phones, multiple email accounts, and plenty of personal technology in their homes. When people take a job with a company, they are issued technology with which they are intended to do their work. This usually includes a PC, and perhaps a smart phone. One of the goals of company-issued devices is to exert a degree of control over what the employee does. Many of us find it convenient to use our own "stuff" on some occasions, and may even have better technology at home than our employers have issued to us.
In one sense, this is a good thing. After all, an efficient employee is a great asset. Unfortunately, the use of personal technology is accompanied by a number of exposures, just as Senator Clinton's decision to use a personal email server potentially exposed the country to negative consequences.
One of the principal concerns for any company is confidentiality. Organizations have arguably taken reasonable precautions within company-supplied systems to protect data (if not, you have a bigger issue). Given the available statistics related to home network break-ins, it is safe to assume that many if not most home networks are not well protected. An employee using such a network for company business can expose confidential information to unintended disclosure. The controls that exist in many businesses, including firewalls, activity logs, access controls, etc. do not exist in most houses. Think about the kinds of information that many of us send via email or other means - employee personal information, confidential customer data, product information, patient data, and the like. The problem is far from insignificant.
So, what do you do? You don't want to stifle employee productivity at home. If they are willing to spend their own time working on company business, you certainly want to encourage that. It is false economy however to assume this is free. The trade-off is usually the high cost of the potential exposure, versus the (probably) lower cost of incorporating some protections. In my humble opinion, the risks are just too great to ignore. Fortunately, there are many controls that can be reasonably implemented. The following are a few examples:
Email - Employees should just not use their personal accounts for company business, period. Policy should be in place to prohibit this, and if company employees receive a business email from a personal account, they should be encouraged to report this. We know that many of the major email providers are scanning the contents of email traffic to drive advertising, leaving company information opened to capture. In our litigious society, eDiscovery related to company email on a personal account is a sticky issue, and in some instances you can lose by default if you cannot produce eDiscovery items. The easiest answer is just not to allow the use of personal email accounts, and to address it when it happens.
Bring Your Own Device - In a perfect world, I would prefer to have total control over what phone I use, so it is easier to buy my own than to get one from my company. This opens a host of issues however in terms of company information residing on personal devices. A BYOD policy spelling out what is and is not allowed is essential. It needs to include such elements as what company information can reside on a personal device, what encryption is required, what malware software is necessary, and who is responsible for support. Today's smart phones can be information funnels to third parties, so attention to this exposure is essential. As an example of the exposure, IBM reported in a study that of 41 mobile dating apps they tested, 26 of them were vulnerable to hacking. If one of these were on a mobile device with company data or network access, such information would be an easier target.
PCs/Servers - As with personal email accounts, personal PCs and servers (yes, some of us have those in our homes) should not be used for company business. This opens up too many issues that are difficult or impossible for an organization to control.
Networks - I have visited many houses, and have encountered very few with any significant network protection. And yet, many of these networks are used by employees to access company systems. During the AIDS epidemic, people were reminded that they effectively had sex with anyone their partner had ever had sex with. To a degree, this is true with a network. Once an employee's home network is connected to a company network, the company network potentially has the same exposures as the home network. While some protections can be put in place from the company side for these, this protection is not absolute. Employees need to be required to have approved malware protection on personal PCs, firewalls, and similar precautions in place on any network that is connected to the company network.
Public Wifi - Public access points and confidential company information do not mix well. I could write 10 pages on this topic alone. The use of encrypted sites and VPN connectivity is essential when company information is involved.
Education - it is crucial to educate employees about the risks involved in using personal devices for company business, and to inform them about related company policies and procedures. In my experience, most employees will cooperate when they understand the risks, and know what to do. It is important however that any such policies have "teeth", and that employees understand the consequences of failure to follow them.
For those of us charged with safeguarding a company's network and security, we have a nearly impossible job as it is. Adding responsibility for personal networks and devices just makes matters worse. Unfortunately in this case, ignorance is NOT bliss. What you don't know will hurt you, so it is important to pay attention to the risks outside of your company's four walls.