Why IT Professionals Are Thanking Hillary Clinton This Week
(This post originally appeared on Forbes)
By now, you’re familiar with the latest controversy surrounding Hillary Clinton and her emails. To catch you up, it turns out that the former Secretary of State (and likely Presidential candidate) was using a private email account. Of course, this is not unusual – most of us have multiple, personal email accounts with public services like Gmail, Yahoo and Hotmail. It’s just that Clinton’s email wasn’t with one of these popular email providers. She had an email account setup on her own, hosted, in-house server. And she was allegedly using it for both personal and State Department business.
Clinton has not responded to these allegations herself. But if true, every IT person in this country is by now secretly thanking her. Yes. Thanking her. That’s because, politics aside (and there are some really creepy things going on here), she has created awareness about a huge issue that good IT people always warn their clients about and are usually ignored. Clinton was an employee of the U.S. State Department. Rogue emails from an employee can derail a Presidential campaign but even more importantly, they can have a seriously negative impact on our companies too.
Setting up a dubious email account is super-easy. My domain is marksgroup.net but just doing a simple domain search I see that marksgroup.info (or.biz, .us, .me, .club, .xyz and many others) are wide open to register for as little as $0.99. Once purchased any internet hosting service will setup that domain for you and host it, with email accounts, for just a few dollars a month. And as quickly as that the rogue employee is in business. And he doesn’t even need to setup his own server to do it like Clinton did. So if you’re getting an email from me or someone who works for me from a marksgroup.net account or marksgroup.biz you’ll likely not pay much notice. They look pretty much the same, right? But they’re not.
To be sure, not everyone does this for nefarious reasons. In fact, it’s not uncommon that I receive an email from an employee at a customer or supplier from their own personal account. Sometimes entire companies share one email account like email@example.com. And it’s possible that Clinton had her own legitimate rationale for using another email account. But you need to have a policy. Of course, the State Department had a policy but no one seemed to call Clinton to task even though many knew that she had this secondary account. Policies need to be enforced. Especially this one. Because an employee who uses a personal email account can create at least three big problems for your company.
For starters, there’s a big security issue. Clinton used her own email server and I’m going to bet that that server’s defense against malware and viruses was not as strong as the ones on the State Department’s servers. Anyone who’s using an outside service, even popular public ones, opens themselves up to this risk because users are allowed to control their preferences and many people don’t run local security applications to further safeguard themselves. Clinton could very easily have downloaded malicious software from her email that could have attacked files on her laptop or server or even have found its way into the government’s system. Once a device on a network becomes infected the chances of that infection spreading are high. And no organization wants to be brought down by a crypto-virus or some other form of malicious code that could lock up lock up their system or subject them to paying ransom or losing important data. Particularly when it came from an uncontrolled, unsecured, un-approved source like a personal email account.
Secondly, there’s a data problem. Think Sony. Hackers found it easy enough to invade the film studio’s network and literally bring down its CEO with its public release of sensitive email exchanges. And Sony had a full time IT team. The job is made much easier if private, less secure email systems are used outside of your IT team’s control. Data breaches aside, the lack of data is more concerning. Having a database of all email exchanges is not only important from a customer service and management perspective but missing data can prove to be a serious legal issue if its ever needed in a lawsuit. Not having the data in-house means there’s a risk of it not being backed up properly. Or becoming lost. Not only that, but having data outside of the company means that data can be sold or used by another company by a disgruntled employee. Or, in an extreme example, that same disgruntled employee could take an outside account that has been used for a while and send messages intended to damage or embarrass you and your company.
Finally, there’s consistency and branding. No offense to you if your company is still conducting business using a general AOL account but it looks really amateur. You need your own, secured domain that’s under your control and you need to require everyone to use it. I employ a lot of contractors in my business and insist on setting up email accounts for them so it appears that all communications from my company are coming from the same place. Emails from employees should not only be coming from the same domain but also contain similar signature lines, if only for consistency and branding purposes. It’s bad enough when a salesperson is emailing me information from his Gmail account but I wonder what people were thinking when they received official business emails from the Secretary of State from a different account and domain altogether? Even if innocently done, it still raises eyebrows and looks unprofessional.
Clinton’s problems are our problems too. If we’ve learned anything, it’s time to re-visit our email policies, insist on consistency and come down on people communicating our company’s business outside of our systems. We need to make sure our email security is current. We need to do a better job enforcing our company policies. And so does the government. Our IT people have been telling us to do this for a long time. It finally took Clinton’s problem to bring it to our attention. And our IT people, I’m sure, are grateful.