Hillary Clinton’s decision to use her personal email account to send official messages is the same one millions of employees make every day. Using personal accounts and devices – laptops, smartphones, USB dongles – at all hours has become a near-requirement to keep up with the demands of corporate America.
In remarks to the press after a speech Tuesday at the U.N., Clinton, a likely candidate for president in 2016, explained her use of her personal account as a matter of convenience. “Looking back, it would’ve been better to use two separate phones and separate emails accounts,” Clinton said. “I thought it would be simpler, but looking back, it obviously hasn’t worked out that way."
She said the “vast majority” of the emails sent from her private account were sent to government email addresses, meaning they’ll be automatically saved, and that she’s asked the State Department to publicly release all her work-related emails.
But Clinton's email flap points to a larger issue: As more employees use their personal devices for work purposes (about 40 percent, according to a recent Gartner study) , the risk of hacking threats increases dramatically. Clinton said no classified documents were sent by email, but most security threats come when well-meaning employees make mistakes with personal tech.
“Someone’s carelessness can be as devastating as someone’s intent to cause harm,” said Aftab Jamil, partner at BDO, a tech consulting firm that regularly surveys corporate risk assessment tactics. “Many times the threat comes from a terminated or disgruntled employee. Oftentimes a company will terminate an employee and fail to terminate that person’s access or deactivate their network badge immediately.”
The State Department said it will take “several months” to sort through and release the emails in question.
But if security experts are correct in their assertion that Hillary Clinton couldn’t have used proper security protocol or encryption methods, then the former secretary of state will never know if her communications were ever monitored or stolen. The private sector is trying to avoid that fate by investing in a range of detection methods that aim to identify and eliminate a threat before hackers can cause much damage.
Corporate America is increasingly turning to advanced technologies to know when the wrong person is accessing data. The U.K.-based cybersecurity firm Darktrace uses what it calls the “enterprise immune system” to identify unusual activity.
If an employee at one of Darktrace’s clients leaves his personal laptop in the airport, anyone who picks it up would have access to everything on that employee’s corporate account. But Darktrace alerts the company if that account starts trying to access sensitive information.
Darktrace was founded in 2013 and has padded its management team with former members of the U.S. National Security Agency and the GCHQ, the NSA’s British equivalent. Along with Virgin Trains and Drax Power, they work with the financial firm Phoenix American, the Norwegian insurance company DNK, Netswitch IT and others.
Darktrace is on track to install 400 times more systems than it did in 2014, Eagan said, thanks to growing corporate fear in the wake of the highly visible hack on Sony Picutres. The CEO compared her company’s approach to the way the human body acts differently when something’s amiss.
“There will be bacteria and viruses in our bodies, but our immune system is able to detect things that are unusual,” she said. “There is tremendous demand in the market and an amazing uptick over the few past months especially.”
More companies are limiting network access to authorized computers and smartphones. Other companies have simply ended remote access, productivity be damned. The rise of geo-fenced encryption has made it possible for a company to restrict access to its networks from outside a pre-determined location, perhaps within two miles from the office.
“Any large Fortune 500 company has a dedicated insider threat program that has a responsibility to make sure the technical and human safeguards are in place,” said Armond Caglar, a senior threat specialist at the cybersecurity consultancy firm TSC Advantage. “They have acceptable use policies, including specific firewalls to connect to virtual private networks, what kind of content you can reach from home, things like that.”
But it’s clear that most companies outside the Fortune 500 are still lacking in proper protections. The Clinton flap suggests even the most powerful government officials are still catching up, and Caglar says it's just a matter of time before smaller companies have to invest in tighter security.
It's a risk the "vast majority of companies are ignoring at their own peril,” he said.