By now, you probably know that most of the claims surrounding Hillary Clinton’s email problems are bogus, with the exception of a few that are total hogwash. I won’t go into exhaustive detail here, since I’ve already done that. But now, as the drip-drip of revelations grows, it’s worth noting that it doesn’t have to be this way.
In fact, as I was reminded by a friend of mine shortly after my previous column came out (shortly, meaning about 15 minutes afterward), there’s at least one product available that, had the State Department used it, would have ensured that all emails were classified appropriately. But, of course, the State Department didn’t use email security software, especially not on the renegade server at the secretary of state’s house in New York.
Unfortunately, all the would-have or could-have statements out there assume that there’s some desire or even an inclination to protect data from even the most basic threats. In the case of the Hillary Clinton, the apparent concern wasn’t so much security as it was being free from probing from Congress or the media. Also, unfortunately for the former secretary of state, that part of the plan didn’t work out very well.
My friend Elizabeth Safran reminded me of a company, Secure Islands, which makes a series of products that handle email securely, and even include a means of requiring that the appropriate classification for each message be entered into the application before it’s sent. She also pointed out that the product encrypts email, reducing the risk of a breach even if the email is somehow collected. The product, IQProtector, is available for mobile and enterprise email systems. (In the interest of full disclosure, Elizabeth handles PR for the company).
Had the former secretary of state used a product such as IQProtector, most of the fuss about her private server would have vanished. While there may still have been questions about motives, at least there would have been far less concern about any breach of classified information.
The problem, unfortunately, is that such steps weren’t taken. Here the former secretary of state is much like a broad swath of organizations caught with their pants down when faced with security challenges. There are plenty of other examples.
Recent revelations about Target’s breach of nearly two years ago show that the company failed to take even the most basic steps to ensure security of the information they were required to protect. Recent revelations about the U.S. Office of Personnel Management breach show that the OPM failed in ways far worse than were expected at the time, and in the process, endangered the lives of government employees serving in some very difficult positions.
This list of organizations and executives caught off-guard is much longer, but you’ve heard it before. The actions not taken, the steps not made, the opportunities lost all build up in ways that would make a good novel, except that they would strain the suspension of disbelief.
The fact that Target had actually implemented a FireEye security system, which had detected the breach in plenty of time to stop it, was only the first dropped ball for Target. In addition, Target had installed Symantec Endpoint Security on computers throughout the company, and that security software had also detected the malware that was siphoning credit card numbers out of Target’s point-of-sale computers.
How Hillary Clinton’s Sensitive Email Problem Might Have Been Avoided
All of Target’s security protections sent out high-priority alarms as soon as the malware and the data breach were detected. The hackers left a broad trail behind them, including files containing the stolen credit card numbers and indications as to who and where the hackers were. The Target breach could have been stopped at any time before the data was removed from the network.
Yet nothing was done. Apparently Target’s security staff ignored the warnings and took no measures of any kind. The staff even turned off functions within the FireEye security system that would have removed the malware automatically. While the turn of events could cast serious questions about the Target staff, the reality appears to be that they simply didn’t know what to do.
This also seems to be the case with the OPM breach. Despite being chronically underfunded, there were some basic security moves that its IT staff could have done, if only they had thought to do so. In that case, simply following good security practices would have cost nothing, but doing so did require thought and effort, which do not appear to have been present at OPM.
Of course, these are not the only instances in which human factors were a primary cause of a breach. They just happen to be two of which most people have heard. But as Target demonstrated clearly, buying the right products does you no good if you’re too dumb or too untrained or too unmotivated to use them. And as OPM demonstrated, you don’t need to have a ton of money to take appropriate security steps; you simply have to decide to take them.
Likewise, securing the former secretary of state’s ad hoc email system was possible, and might have prevented much of the questioning that’s going on now. But that would only work in the presence of a desire for a properly secure system in the first place.
While the people at Secure Islands appear to have built an effective, easy-to-use solution to keeping email secure, that alone won’t solve problems for organizations that will not or cannot use it. The first step in security has to be a desire to secure your data. Unfortunately, there’s no product in the world that can implement that desire.