A Cautionary Call To Action - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership
11:50 AM
Joe Stanganelli
Joe Stanganelli
Connect Directly
0% A Cautionary Call To Action

As former Secretary of State Hillary Clinton becomes ever more embattled in the press and in politics because of her personal email usage, we can draw lessons for enterprises and employees alike on contending with Shadow IT.

Shadow IT: 8 Ways To Cope
Shadow IT: 8 Ways To Cope
(Click image for larger view and slideshow.)

Early this month, the New York Times broke the story that Hillary Clinton exclusively used personal email for work purposes during her tenure as President Obama's Secretary of State. This practice was in potential contravention of federal recordkeeping laws, as well as information security best practices.

It later emerged that Clinton hosted her personal email account and associated domain ( on her own private server at her Chappaqua, N.Y., residence. Other government officials, as well as Clinton's daughter Chelsea, also had their own email accounts hosted on this server.

[ What other government officials have caused cyber security consternation? Read Clinton Email Fail: Worst Government Security Flubs. ]

Potential political and legal fallout aside, the saga highlights a problem all too common in the enterprise -- the use of personal email for business purposes.

"This is a wake-up call for all executives to realize the sensitivity and trappings of corresponding in electronic environments," said John Isaza, head of the information governance and records-management practice at California law firm Rimon, in an email interview with InformationWeek. "Working from personal email accounts is much more common than pundits would think." So-called Shadow IT has long been a growing problem in the enterprise -- long before the New York Times story broke.

"Imagine if Gmail gets hacked. Imagine all the confidential business information on Gmail," Sean Mahoney, a partner at K&L Gates, told attendees at the NRS Technology and Communication Compliance Forum in Boston in November 2014. "We're all kind of guilty of this … If Gmail gets hacked, it's a sorry day for the US, I think -- a sorry day for the world."

(Gmail is not the only game out there for hackers, of course. Longtime Clinton adviser Sidney Blumenthal had his AOL account hacked two years ago, resulting in leaks of sensitive Benghazi-related email correspondences between Blumenthal and Clinton.)

(Image: Blueboss via Pixabay)

(Image: Blueboss via Pixabay)

Isaza told InformationWeek that the shadow cast by Shadow IT can often be inadvertent.

"It is easy to respond [to an email] from a portable device … without realizing it is going out from a personal account," said Isaza. "Presumably, the [organization's] BYOD policy will stress that personal email accounts are never to be used [for] business. Unfortunately, in practicality this can be a challenge. When a device has multiple accounts attached to it, one can easily foresee the user erroneously sending a work-related email from a personal account. Once that happens, the recipients may reply to all, and the stage is set for a breach in the BYOD protocol."

Unfortunately, there is only so much that organizations can do to police this sort of thing. For instance, employers cannot monitor personal email accounts without potentially subjecting themselves to violations of privacy laws such as HIPAA.

Still, Isaza emphasized the importance of having in place a comprehensive BYOD policy (or anti-BYOD policy, as the case may be) for compliance purposes.

"Key areas to cover include guidance on acceptable uses of personal devices to transact official business, including instructions on distinguishing personal email account usage from official business accounts, [and] a section on risks, liabilities and disclaimers to help protect the organization against the employee misuse of the device," said Isaza. "Armed with the BYOD policy, other organizational documents … could get into the specifics of training and auditing the policy for compliance, as well as the frequency for these [audits]."

In his NRS presentation, Mahoney pointed out that vendors and other third parties with which an organization works should be surveyed for compliance under the organization's own policy -- and build such policy into third parties' contractual requirements.

Equally important, in any case, may be fostering a corporate environment where employees don't have to panic about how they can access their documents and complete their work (e.g., "There's a giant storm coming! How am I gonna get this project done?" as Mahoney put it). Effective cloud deployments can be helpful here.

With Shadow IT instances occurring at the highest levels of government, the threats of the phenomenon to the enterprise are clearly not going away anytime soon. "This is a reality and a change management gap that companies need to address," said Isaza. "Ultimately, it is about security of the data and communications."

How does your organization deal with the use of personal email accounts at work? Do you have any additional tips for IT on how to handle Shadow IT in the enterprise? Tell us all about it in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/30/2015 | 3:22:25 PM
do you want control or ease of use?
If you want strict regulatory control over email, then you simply can't have a BYOD policy other than no BYOD. If employees are forced to use their work email over their work phone then there is very little room for confusion. Then if something like this happens it's much more likely it was intentional and not 'just an accident'.
User Rank: Moderator
3/26/2015 | 2:17:15 PM
Re: Device or Service?
If you want better security then any usage must be fully governed and BYOD doesn't allow for that, and even after that, what is stopping a person using another device, say a hotel "share" system & commit the same acts.

This becomes the cost of doing business.
User Rank: Ninja
3/24/2015 | 3:02:36 PM
Re: A Catuonary Call To Action
I very much agree with your overall takeaway here, Joe; communications-based security concerns (be they e-mail or otherwise) are a persistent, legitimate issue, and they aren't going away any time soon. If nothing else, the fact that the Secretary of State was, at some level, infracting on this is evidence that this goes up to the highest level possible - and that there's no doubt it affects everyone in-between. I do think the ramifications of this specific story are being inflated a bit by other, click-hungry publications (Gawker called it a 'secret' e-mail adress, haha) - it's worth noting that Mrs. Clinton already turned over all the e-mails from this account to public officials for review, and (according to herself) wants the public to see them. There's a lesson in there about tact and incident response (an important component) for CXOs, too. Nevertheless, we are talking about one of the highest offices in the world.

There's no shortage of issues here on the technical side (the need for a good MDM solution comes to mind), but I agree with your position that the non-technical is often just as or more relevant. Many security pros advocate mitigation and DR over prevention, and that seems relevant here. Whether willfully or accidentally, users are inevitably going to violate your policies. When you mentioned monitoring private e-mail, I couldn't help but think 'even if you did that, they would just give you a phony e-mail to monitor, and then use another one'. Expecting outside partners to adhere strictly to your policies also seems like a bridge too far outside of extremely sensitive industries (IE financial, gov't contractors) - after all, it's not like you'd want to adhere to theirs. I think it's more about finding a good fit and figuring out what's absolutely essential to you and what's an acceptable risk.
User Rank: Ninja
3/24/2015 | 10:58:53 AM
Device or Service?
Yes, BYOD does contribute to the issues you outline

But what also makes it possible is all the free email services, free  or low cost texting, free chat services.

One can have half a dozen free email accounts from different places. As long as these free services are around, the problem may never be solved
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll