Hillary Clinton’s one-device issue is also a nightmare for employers
Hillary Clinton recently said she used a private email account when she was secretary of state because she didn’t want to carry two different devices — one for State Department business and one for personal emails. Many companies are grappling with a similar issue as employees ask for access to corporate networks on their own devices.
The bring-your-own-device trend is only growing: About 40% of U.S. employees at large enterprises use personal phones, laptops or desktops for work purposes, according to Gartner research conducted last June.
It does make life much simpler for employees, who don’t have to put two phones on the table at dinner to monitor work and personal emails and calls. It makes life hell for security and IT folks, who are stuck figuring out how to prevent employees from putting the corporate network at risk through public Wi-Fi connections, weak passwords or by clicking on bad links.
“These devices are outside of IT security control so it’s very hard for them to make sure proper protections are in place,” says Karl Sigler, manager of threat intelligence at the Chicago-based security company Trustwave. “If I get malware on that device, that malware is now inside the network.”
In Clinton’s case, she used a private clintonemail.com address run through a server on her property in Chappaqua, N.Y., rather than a .gov email address. Her aides have said it had “robust” security protections, but we don’t know what that entailed. She also said the server sat on property under the Secret Service’s purview, though that doesn’t mean much because it refers to the physical security of hardware, rather than safeguards that would prevent cybercriminals from conducting an attack remotely.
Hillary Clinton addresses email controversy
Former Secretary of State Hillary Clinton explains her reasoning for not keeping a government-issued email address.
Large organizations generally have more robust technology than what would be attainable on an individual basis, Sigler said. But the perk of smaller-scale operations, like protecting one woman’s email account, is that security employees would have a stronger sense of where all the data is, unlike big enterprises that struggle to determine which digital assets even exist across dozens of departments and even need safekeeping.
“Email is obviously a huge entryway for criminals to get inside networks and inside organizations,” Sigler says, referring to risks like phishing and malicious attachments.
The State Department itself has struggled with data security. The Wall Street Journal reported in February that three months after the agency discovered hackers in its unclassified email system, it still had not thrown them out.
Compromised mobile devices led to security breaches at 47% of the more than 200 companies surveyed by the Enterprise Strategy Group last year.
Security professionals ranked bring-your-own-device as their second-biggest cause of grief in a Trustwave survey released this month, and also called it their second-largest risk, after the cloud.
“It’s a huge issue and something that security folks and IT folks across every organization face in one sense or another,” Sigler says. “There’s no way to get around [bring your own device]. People are going to do it whether you like it or not. Trying to control that, you’re just trying to cage smoke.”