Here it is nearly a year after the disclosure that former U.S. Secretary of State Hillary Clinton, currently seeking a new job, had violated a series of regulations about the use of government email and we’re still seeing more damaging revelations.
Compounding the issue are recent reports that current U.S. Secretary of Defense Ashton Carter used his personal email account after he took office, even though he knew it was wrong. Why can’t high government officials follow clearly-established policies for email security and preservation?
Ms. Clinton has claimed various excuses as to why she didn’t use government email channels saying that it was more convenient to use her own, or that all of the other secretaries were doing it, or that she didn’t use it for classified information, anyway.
Subsequent revelations have shown her claims to be inaccurate, but I’ll leave it at that. Mr. Carter, who says he knew better, apparently used his personal email for expediency, because it was on his iPhone.
As entertaining as this political reality show may be in Washington, you really don’t want your company to be like that. You especially don’t want to find out that your key employees are carrying sensitive company information around on their personal phones, and you don’t want to find out that information that’s subject to compliance regulations is somehow showing up on Gmail.
This means that you need to examine your own email practices, and your company’s practices and policies. In addition, you also need to pay attention to what your employees are actually doing and, if you see them violating your company email policy, you need to take corrective action.
Your company should have a communications policy in place. If it doesn’t, it should set one up soon. If you really don’t care where your company data goes or who has access to sensitive internal information, then you don’t need a policy. But you might need a lawyer, sooner rather than later. While you have to decide what will work for your company’s culture, there are a couple of things to keep in mind.
First, you need to reflect on your company’s exposure to regulations for data protection. If you handle sensitive information that belongs to others, whether it’s credit, health, financial or any other type of data that’s subject to compliance rules, then you will need an email policy, and it needs to satisfy those compliance requirements. It needs to be in writing and it needs to be enforced.
Second, if your company has other sensitive information in the form of customer lists, inventory, trade secrets or personnel files, then you need a policy. While the loss of some of those items may not be illegal, it could cost you your business. The loss of sensitive personal information could attract the worst possible type of attention from unfriendly lawyers.
Third, every business handles money, usually lots of it that you need to keep safe—otherwise, you won’t have any.
Keep Hillary Clinton in Mind When Enforcing Email Security Policies
Losing money isn’t illegal as long as it’s yours, but it usually means you will soon lose your business, too.
Now, think about what should be in your email policy. For your business, the best solution is also the most secure solution. You should operate your own email system and you should set it up from day one so that it’s secure. This means, among other things, making it possible for your employees, including your contract employees, to use it both in the office and remotely.
By requiring all your employees to use a corporate email system, you have control over things like encryption. You can erase company email from lost, stolen or departed phones and other mobile devices. It also enables you to enforce sound security practices such as having strong passwords and even two-factor authentication.
It’s possible to have reasonably secure email in a variety of ways. Of course, you can operate your own servers, but you don’t need to. Hosted company email with servers in the cloud are widely available and with that you get the help of experienced administrators. It may not be a free service as it might be if you let employees use personal email, but then again, losing your data and eventually your job isn’t free either.
You also need to get the support of the managers and the directors of your company. This means getting your chief executive to understand the risks involved with personal email, and getting the C-level support necessary to enforce whatever you decide are your company’s best practices. This may also mean support for the consequences that happen when you find your CFO doing his work using his AOL account.
Some decisions may be a little counter intuitive. Why, for example, should your company support independent contractors by providing company email? Yes, it does cost money, but it also helps ensure that those contractors are less likely to leak important information. In addition, you can provide this email while still not allowing the contractor to seem as if they’re an employee of the company by appending their name with the word “Contractor” when it shows up in someone’s inbox.
And part of this means you may have to lose a little of your hard-earned popularity when you change the settings on your company firewall so that employees can’t reach their personal email services from inside the company.
But don’t worry—you’ll be even more unpopular when employees realize you’re checking incoming email to spot company messages from non-company sources. Your firewall probably can’t do that, but other employees can if you offer them an incentive to report violations of the company’s email policy.
Nothing you can do is a substitute for the willing participation of your employees in making your email system secure, but your policies and the way you enforce them can provide encouragement and act as a reminder. Best of all, nobody will accuse you of displaying Hillary’s disregard for established policies.