Email security has been in the news an unprecedented amount lately, and the need for those dealing with sensitive data to take precautions when using email has never been higher.
Reports confirm that human error and bad email-hygiene are among the leading causes of data breaches. The enormous fines faced by companies like Talk Talk and the reputational damage associated with such breaches (84% of Brits would reconsider brands affected by data breaches) show just how seriously both regulators and the public take the handling of sensitive data.
And that’s before we get to the Clinton scandal.
To summarise, Clinton set up and used a private email server which was then used to transmit classified and sensitive data, instead of using an official state.gov email account (which would have been hosted on servers owned and managed by the US government). Furthermore, investigative records show that Clinton aide Huma Abedin sometimes transferred emails from her State Department account to either her Yahoo account, or her account on Clinton’s server, in order to print emails. In fact, “Of the more than 160 emails in the latest Judicial Watch release, some 110 emails – two-thirds of the total – were forwarded by Abedin to two personal addresses she controlled”.
CheckRecipient can’t stop people setting up private servers. However, had the State Department been using CheckRecipient’s ‘RuleBuilder’ and ‘Guardian software’, it could have detected, warned, and stopped data being sent from the secure State Department email servers to external and personal email addresses.
It is yet to be seen whether the recently uncovered data transmitted this way was classified (and therefore in breach of federal requirements), but CheckRecipient could have stopped the data leaving government servers – and alerted the State Department immediately that the data was being transferred, by whom, and to whom.
“CheckRecipient could have stopped data leaving government servers – and alerted the State Department immediately that data was being transferred, by whom, and to whom.”
The problem, however, ranges further afield than the Clinton scandal; it seems that this behaviour is far from unique. Whether it’s classified information or restricted intellectual property, without barriers in place, this data is being allowed to leave the secure, closed systems where it is meant to remain. For example, a 2015 survey of US government employees shows a significant number of had used personal email accounts for government business.
With all the press attention on state-sponsored hackers, advanced persistent threats and sophisticated tools to identify malicious behaviour on networks, it’s important to remember that in fact, “Data sent by email to incorrect recipient” was the number one cause of digital data security incidents reported to the Information Commissioner’s Office and the vast majority of breaches and improper removal of intellectual property are in fact, related to human error.