Reading the news that CIA Director John Brennan’s personal email account was allegedly hacked, I couldn’t help but feeling a little despair.
If the Central Intelligence Agency can’t keep its secrets — particularly after the previous director of the CIA had had personal emails end his career — how is a small business juggling limited budget and a shifting workforce?
The answer has traditionally been to set up and enforce strong policies: Here’s what you get and if you don’t follow the rules, you get fired (or at the very least, a stern talking to).
That approach has failed disastrously. Severely locked down systems have hampered productivity, which might be worth the cost if employees hadn’t simply routed around the approved systems and gone with their own solutions.
In the case of Director Brennan, the workaround appears to have been to use an AOL email address in between stints at the agency.
And he’s obviously not alone. Hillary Clinton took things a step further famously set up her own email server while Secretary of State.
But even beyond email, I think things are more wild west than people are willing to admit. How many companies official communicate and organize via SharePoint, then have a shadow Intranet running on Slack? Who is setting the policies there, and ensuring that former employees can no longer listen in on what their erstwhile colleagues are up to? (Anecdotally, I know of one mid-sized business that I’m told has as many active “alumni” as current employees using its official Slack installation — and that’s one that their IT department is nominally overseeing.)
Awareness and training have improved lot over recent years, and enterprise products continue to improve. What seems to be only getting worse, however, is the end result: More data keeps leaking, the walls of the business become ever more porous, and few good solutions seem to present themselves.
I’m curious as to what approach you’d recommend: How can we secure out business data? Which vendors are giving you tools that you feel actually help? Will you favor education or enforcement? Most importantly, what have you seen actually work?
Let me know, in the comments or via my (official) email at [email protected].
