Earlier this week, I shared my thoughts on why CISOs need a seat at the table with the Board of Directors. Equally important, CISOs need to be able to set security policies and guidelines that are followed by all employees, including executives. Often employees will use personal phones, computers, and email accounts to conduct business—ignoring company security policies and protocols, and often at the risk of compromised data.
These security policy violations are frequently conducted in the interest of convenience with the belief that the increase in productivity outweighs the risk. Another motivator is privacy. Some executives use personal email accounts to keep certain communications “private” from the broader company. This tendency is mentioned in a recent Wall Street Journal article (requires subscription to view). However, using these methods often violate both internal and regulatory governance standards. Many companies, especially if they are in litigation, require a legal hold of all of their executive email (regardless of the company email retention policy).
Often those that are violating the policies do not understand the full extent of the risks they are taking especially because personal accounts are typically more susceptible to hackers and can result in legal consequences.
The recent discussions around the use and configuration of former Secretary of State Hillary Clinton’s personal email server help to highlight how convenience and privacy are often pursued in lieu of security in both our enterprises and governments. While Clinton was in office as the Secretary of State, she used her personal email account to conduct all State business. In a press conference on March 10, Clinton said she used her personal email account for convenience—she wanted to carry just one device for both her work and personal emails (by the way, I carry two devices!).
On Wednesday, March 11, Venafi announced and released its TrustNet certificate reputation service and by using TrustNet, we were able to evidence that there was a 3-month gap before encryption was enabled on Clinton’s email server. In January 2009, eight days before Secretary Clinton was confirmed by the U.S. Senate, the domain, clintonemail.com, was registered. Then 3 months later, in March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications. Although we do not know if it was compromised during this 3-month gap, Secretary Clinton stated in her recent press conference, that her email account had never been compromised. But honestly, she can’t know that!
During the 3 months without a digital certificate, access to the server was not encrypted or authenticated. Throughout that time, the account would have been easy to compromise, allowing others to eavesdrop on both incoming and outgoing communications. It could also have been spoofed, using the account for phishing or to send malware. Another concern is that credentials could have been compromised during this time, especially given her travel to China and elsewhere. This could open the door, as we've seen with so many other breaches, to long term, under-the-radar compromise by adversaries. This is an example of how the person taking the risk didn’t know the full ramifications of his or her actions and policy was not enforced.
Organizations need to partner and rely on their security professionals, and ultimately their CISOs, to set security policies that consider the risk to the company. Noting however, it is imperative for the CISO to partner with the business and compliance teams to ensure that what policies are set forth in turn address the necessity of those controls.
We all know that in some cases policies/guidelines must be flexible to enable business, but we always must assess the acceptable risk to the company. It is important, however, that the business as well as your company as a whole understand and accept the risk through a formal Risk Acceptance process. This process must be documented, including mitigating controls, and kept current through formal documented security reviews with the business.
Although the CISO is charged with balancing security with privacy, productivity and flexibility, as well as industry and governmental compliance regulations, when creating communication policies, they cannot be created in a vacuum. They should be a done in a collaborative nature to ensure business enablement while still ensuring the least amount of acceptable risk as possible. Therefore, when these policies are designed to support the overall business using a comprehensive risk analysis, all employees should be informed of these policies at least annually through formal security awareness training and then abide by these policies to keep their organizations safe.
Again, I hope my comments spark a discussion. Has your organization’s CISO provided clear security policies for business communications that include the use of personal phones, laptops, and email accounts? What about the use of social media? Do you feel these policies support productivity? Do they address risk? Do your employees adhere to these policies? Let’s hear your thoughts….