News Stay informed about the latest enterprise technology news and product updates.

Petraeus scandal holds lessons in email security policy, e-discovery

Mixing business and personal email accounts has serious drawbacks, as well as consequences on IT teams managing data integrity.

No one, not even the director of the CIA, is immune to exposure by way of electronic communications, said experts who pointed out that the Petraeus scandal presents a good opportunity to remind employees that using business and personal email accounts has drawbacks.

For many years, I have advised corporate executives and attorneys that this is a more significant hazard than is appreciated.

Robert Gezelter,
software and security consultant

The scandal should also act as an impetus for corporations to review policies governing email use and examine how system performance may be impacting employee behavior.

The downfall of former CIA Director and retired four-star general David Petraeus stemmed from an FBI harassment investigation initiated after a third party had reported threatening emails from an anonymous account that was subsequently traced to biographer Paula Broadwell, with whom Petraeus has now admitted having an affair with. But without the digital email trail, the affair may have gone undiscovered.

"What the Petraeus scandal shows us is that email is a very open and a very leak-able form of communication," said Orlando Scott-Cowley, a messaging security and compliance evangelist for email archiving and security firm Mimecast.

While it is to be expected that those engaged in unsavory activities will likely resort to the use of private email accounts for fear of being sanctioned by their employer, in many instances employees who are merely trying to get their jobs done in an efficient manner may be inadvertently driven to use their own email accounts because corporate systems prove to be too inefficient, which in turn has the potential to put sensitive company data at risk. Experts say it's likely that organizations haven't effectively communicated email security policy to employees.

"Too much security and you effectively stop your business from working and even unknowingly encourage employees to look to other solutions." Scott-Cowley said. “Our Generation Gmail report, published last year, revealed that users will often utilize their personal email accounts if their corporate systems are too restrictive, so getting the balance between business and security is vital."

The study Scott-Cowley referred to looked at employee attitudes towards corporate email systems and found that nearly 80% of the 2,400 survey respondents admittedly send work emails from their personal accounts. The problem stems partially from a lack of security awareness training and partially from data management issues, with 40% of employees indicating that if they had an unlimited storage at work they would be less likely to use personal accounts.

Security awareness regarding the acceptable use of email accounts gets even more difficult higher up the corporate latter, as the data exchanged tends more often to be of a highly sensitive nature, and bad habits at the executive level prove to be harder to change.

"In light of the Petraeus incident, now is the time for enterprises to revisit security education and awareness programs, especially in the C-Suite, where these users are classically the hardest to educate, even though they understand the risks and implications to their businesses the most," Scott-Cowley said. "Making this point to management is vital, as all too often security training overlooks the C-Suite because those users are deemed to be 'senior' or 'responsible enough' not to need training, but as we’ve seen in the Petraeus matter, the higher they are, the further they fall."

The e-discovery lessons via Petraeus fallout

The Petraeus scandal also holds lessons to be learned about the nature of e-discovery in the course of investigations as it relates to private data contained in email accounts. In spite of the attempts to conceal the use of the anonymous account, it was forensic examination of email metadata and good fieldwork by agents that led investigators first to Broadwell, then ultimately to Petraeus.

"Despite all efforts to cover tracks, email leaves a very noisy digital paper trail that will lead straight back to your cubicle and any of your inboxes," Scott-Cowley said.

Robert Gezelter, a software and security consultant whose practice in computer science and technical matters includes elements of e-discovery and computer forensics, warned that information inadvertently uncovered in an investigation can have an unforeseen and detrimental effect on the reputations of those involved, as well as innocent third parties, and can ultimately tarnish an organization's brand if it makes its way into the public sphere.

"For many years, I have advised corporate executives and attorneys that this is a more significant hazard than is appreciated,"Gezelter said. "In this case, the simple investigation of several anonymous, possibly threatening emails, has led to the disclosure of an already ended extramarital affair, as well as other private correspondence involving unrelated parties."

Once an organization is subjected to exposure of private or proprietary information, they lose the ability to effectively orchestrate messaging and manage damage control efforts, which can undermine customer and shareholder confidence and threaten the company's bottom line, regardless of any actual improprieties.

"I find it particularly disturbing that raw material involving others has been referenced in newspapers and other outlets. This public airing or allusion to raw investigative material is inappropriate. If there is a criminal violation, prosecute. If not, there is no reason for publicity."

In the end, the Petraeus scandal should act as a catalyst for organizations to review the controls in place for governing corporate email systems, how those systems influence employee behavior and attitudes, and the potential impact the disclosure of sensitive communications could have on enterprise reputation management, prior to an event that could result in unanticipated potentially negative consequences.

About the author:
Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. You can also find him tweeting about security topics on Twitter @anthonymfreed.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.