News
Hillary Clinton’s email server violated state department rules - expert comments
May 2016 by
Hillary Clinton’s efforts to move on from a damaging email controversy suffered their biggest setback yet on Wednesday with the release of an internal report finding she broke multiple government rules by using a private server rather than more secure official communication systems.
David Gibson, VP of strategy and market development at Varonis:
“At a time when employees at all levels are accessing and communicating sensitive and confidential information from mobile devices and home offices — whether expressly authorised or not — this case should serve as a wake-up call for organisations. Security controls that apply only to networks and on-premises infrastructure leave gaping holes. Organisations should be monitoring and analysing all of their authorised users and their interaction with all potentially sensitive data, including email. There is no telling how much damage can be done and go undetected without an inside-out approach.”
Simon Crosby, CTO and co-founder at Bromium:
"Anyone who has ever worked in a security sensitive organisation knows that email is the property of that organisation. Clinton knew this too. She either abused the system for convenience, or for reasons that we haven’t yet learned about. Whatever the case, it was blatant, insecure and risked disclosure of sensitive government data. If she is elected, I worry that cyber security will be treated with the same indifference or disregard, which is extremely concerning."
Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic:
"This is a challenge as, in my experience, many organisations, rather worryingly, say “oh yeah we know they send mails home to work with, or we allow them to use their own PC’s at home for work or "I couldn’t tell if they used our tools outside of the organisation". They are often just relying on procedure to protect their data and employees. In most cases there are no controls to stop people leaking some very sensitive data online via email, or even by other means like social media. I have had experience of employees within organisations uploading content to untrusted websites with no thought for security and how it could potentially impact the company - they just have a job to-do so it’s just easy to Google a solution and use that, typically online solutions that collect data. Often this is not meant to be malicious; it’s just that they have not considered security and the potential exposure. The question is how many people would admit to doing it internally, and is the culture more aligned to brushing it under the rug so as to not be the next big scandal. It is also becoming more challenging with the way we work and our agile approach to working.
Without controls in place, or a way to validate that the user is not doing what they are not supposed to be doing, how can you really enforce procedures? Many organisations just don’t have the time or resource on their own to police it. Organisations need to think about monitoring sensitive data leakage and considering where data could be leaked and start hunting for it."
