Q
Problem solve Get help with specific problems with your technologies, process and projects.

Personal email servers: What are the security risks?

Hillary Clinton has taken much criticism over the use of a personal email server. Expert Michael Cobb explains the risks of shadow IT email and what enterprises can do about them.

Former Secretary of State Hillary Clinton has come under fire for her use of a personal email server rather than...

solely relying on a government-issued email account. While I understand there are implications for national security because of this, are there any lessons enterprises can learn? Are there security controls that can be put in place if employees or executives use personal email servers?

Most organizations suffer from shadow IT, where individuals and even whole teams circumvent IT policies and set up unauthorized cloud services or install their own software. The Cloud Security Alliance's Cloud Adoption Practices & Priorities Survey Report 2014 found that nearly 72% of IT managers didn't know how many shadow IT apps existed within their organization. Hillary Clinton's use of a private email server and address for government business is a good example of the problems shadow IT can cause. Top secret information was transmitted over a network that probably didn't meet the requirements for processing such highly classified information. It also creates problems with archiving and e-discovery as well. The Federal Records Act requires government officials to preserve emails on department servers, and most organizations need to archive emails for various periods of time depending on the regulatory framework within which they operate. E-discovery becomes almost impossible if emails and documents are spread across employees' own personal email servers and accounts.

Enterprises have to know where their data is in order to build an appropriate data security strategy to protect it. Cloud computing is making the task a lot harder, and shadow IT makes it impossible. Finding which cloud applications are being used by employees is a job for an automated tool. For example, CipherCloud offers Cloud Discovery, which searches for and risk assesses all the cloud applications being accessed by an organization. Netskope's Advanced Discovery and Skyfence's Cloud App Discovery are other tools that enable administrators to assess authorized and unauthorized cloud application usage.

But tracking down private email servers is not easy, so the problem needs to be tackled from a different angle. The main reason people use shadow IT is convenience, so enterprises should create a procedure that makes it easy for departments, teams and individuals to request to use alternative services or systems. Build consensus when developing the policy so it won't be seen as an arbitrary set of rules handed down from up high. When people understand why they need to do something, they are far more likely to do it, so highlight the risks shadow IT introduces to the organization and for the employee. Overly strict security policies can backfire, as employees will try to circumvent them, so make an effort to approve a request or offer a compromise when an employee makes a valid request.

In addition, enterprises should ensure employees are aware of the disciplinary consequences of noncompliance, while security training should highlight the risks of shadow IT; a personal email server will lack all the safeguards and physical protection of on-premises corporate servers, and may well be in breach of various legal and compliance requirements. If you feel your enterprise is at risk from shadow IT, try declaring an amnesty so employees can own up without fear of dismissal. This at least gives you the opportunity to get shadow IT under control before bringing in new measures to stop it spreading again.

Next Steps

Read about tools and tips to improve enterprise email security

Find out how Pandora addresses shadow IT and cloud app security

Compare the best email security gateway products in the industry

This was last published in April 2016

Dig Deeper on Email and Messaging Threats-Information Security Threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

For most people it may not be an issue. Someone in her position is a much bigger target for an attack. When it come to a personal e-mail server, you are only as safe as the person who maintains the security if at all. 
Cancel
How does your organization scan for shadow IT such as personal email servers and accounts?
Cancel
I have been following this off and on and never gave it much thought as to why she wanted a personal server?? Most people do not have one or even need one. The only reason I can see for a personal one is so you can do things you want nobody else to know what you are doing. 
Cancel
Whatever her reasons, right or wrong, good or bad, this may have been the single most ill-advised tech move ever. It smacks, not of necessity, but of private privilege. The hoi-polloi may not even know what an email server is or does, but the whole thing tars HRC as oblivious.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close