What can we learn from the Clinton Email Server? A Non-Partisan Commentary

Posted in: Commercial Insurance

Businesses have to use technology to compete and by doing so they are exposed to new risks related to data and network security. Yet options to do anything meaningful to protect data and networks can be confusing, limited or simply inadequate. Further complicating the issue is that society and laws are struggling to catch up with technology so it is difficult to fully understand cyber risks and the financial consequences of doing business in the cyber age. This reality can make it difficult for leadership teams in organizations to determine the best way to approach cybersecurity.

Successful cyber risk management strategies include direct involvement from organizational leadership that elevates cybersecurity to a business function cutting across people, process and technology. Unfortunately, in many instances for a variety of reasons, businesses hyper focus on technology and fail to consider the importance of people and process in their approach to cybersecurity. This can create conditions where cybersecurity and usability are at odds leading to new unexpected vulnerabilities.

The good news is that there are ways to approach cybersecurity that infuse process, people and technology. And, there is a lot that can be learned from the high profile and visible examples of breaches and cybersecurity failures that are in the headlines. A good recent example is the highly publicized Clintonemail.com server debacle.

What Went Wrong?

According to a recent article published by Tech Crunch titled, “Whats this Whole Email Thing About, Anyway,” at least one purpose for using the private Clintonemail.com server was to work around security technology Clinton felt was not usable and made electronic communication cumbersome and out of alignment with the demands of the job. While it is likely the creation of the private email server did make it easier for Clinton and her staff to communicate, it also circumvented important security controls protecting sensitive information.

Is Your Insurance Broker Helping You Prevent Claims Before They Happen?

Control Costs with safety Services

What Can We Learn?

Without knowing all the facts, the Clintonemail.com server issue is still a great example of how the human factor can completely neutralize security controls if those controls conflict with usability and are bypassed by users. Despite the fact that protecting classified information is central to the mission of the Department of State, Clinton developed and implemented a more efficient, yet less secure unapproved workaround to communicate electronically. In this case it seems efficiency was more important to the end users (Clinton and her team) than the risk of possibly exposing classified information.

Unlike the Department of State, most organizations are not charged with protecting classified information, the consequences of cybersecurity failures are less known and there is often limited oversight of employee activity. It is logical to assume that that employees in organizations of all sizes are putting their employers at risk by working around security controls and willfully or unintentionally ignoring technology use policies. Think about your organization for a moment, do you know if your employees are following technology use policies and using official approved methods for storing and communicating sensitive data?

The most important take away from this high profile example is that security controls are only effective if they are used, and there must be a balance between security and usability. Now is the time to think about how your organization encourages a cyber secure culture and handles technology use and cybersecurity policies. Here are some quick tips that can help you with the process:

Tips to increase balance between security and usability of existing cybersecurity policies:

  1. Create a Cross-Functional Security Policy Development Team: Most companies have security policies and technology use policies that have been developed organically or on an as-needed basis. Revising policies, educating users, ensuring policies are followed and technology is used correctly can be more of a challenge. One strategy to improve the security policy development, revision and implementation process is to create a Cross-Functional Security Policy Development Team. The team should be comprised of a member of the leadership team as well as individuals from each major business unit. Business unit representatives should have institutional knowledge about the organization as well as experience using critical systems, applications and technologies common to users in their area. The team must also include a member of the IT or cybersecurity team.
  2. Establish Cyber Champions: After the Security Policy Development Team is established, members from each business unit will become cyber champions for the organization. Everyone in the organization should be aware of the designated cyber champion for their business unit. Cyber champions play a critical role in building a cyber aware culture in the organization by establishing a communication channel to disseminate information about security policies, technology use policies and consequences of not following policies or using technology incorrectly. For individuals in each part of the organization, the cyber champion is the go to person to raise questions, concerns or issues with policies that impact usability and the ability to get the job done. They can also serve as the liaison to the IT or cybersecurity team and be the first point of escalation for common cybersecurity related concerns individuals encounter. The cyber champion role can also be expanded or leveraged in other activities designed to encourage cybersecurity awareness and the development of a cyber aware culture.
  3. Bottom-Up Feedback Channels: Talking about cybersecurity problems and raising concerns about organizational policies that don’t work can be intimidating for the average person. There have to be consequences for ignoring policies and misusing technology, but there also needs to be a place to turn when something doesn’t seem right or when technology and policies prevent people from doing their jobs effectively. The cyber champion in each business unit can serve as the point person to help increase communication to the IT/Cybersecurity teams and also raise individual concerns to the security policy development team and leadership for the purposes of continuous improvement, oversight and enforcement.
  4. Leadership Engagement: It is important for the team to meet on a regular ongoing basis and at least one permanent member of the leadership team should attend each meeting. Leadership participation will give legitimacy to the team and show the entire organization that cybersecurity is an organizational priority. Participation from leadership is also required to maintain a two-way communication channel from the bottom up and top down throughout the organization. During the meetings the team will discuss new policies, review existing policies, share technology use trends/issues and employee feedback from each business unit in the context of the current and emerging threat landscape. These meetings also give the IT/Cybersecurity team a chance to educate leadership and users about cybersecurity successes as well as new and emerging threats.
  5. Repeat and Expand: Cycle the members, update scope and responsibilities of the team as necessary to meet the needs of the organization as priorities change and the threat landscape evolves. Use employee feedback to improve policies and keep everyone in the organization engaged in the development and implementation of policies. The commitment from leadership combined with ownership and involvement from individuals throughout the organization will not only encourage correct behavior and enable oversight and enforcement, but also help turn the human factor in the organization into a cybersecurity asset.

At PSA, we believe that technology should enable business not prevent it, and cybersecurity is an organizational strategy, not something that lives behind a locked door or in the cloud. If you would like to learn about how cyber insurance can help your organization manage cyber risk, or if you are simply interested in a conversation to help implement the tips discussed in this blog we are happy to assist. Feel free to contact me at mvolk@psafinancial.com.