Last week, Alaska Governor Palin’s Yahoo! personal account was hacked and some of the contents from her email account were posted on a variety of Web sites. Obviously, the story was particularly noteworthy because of the governor’s role as a vice-presidential candidate, but also because she was accused of using that account to conduct official state business in her role as governor.
However, the individual who reportedly hacked into her account – the 20-year old son of a state representative from Tennessee – claims that he did so in order to determine if the governor used the account for official state business. He stated that he found no evidence that the account was used for that purpose.
While much was made of the allegation that Governor Palin used her personal Webmail account to conduct official business, a survey that Osterman Research conducted last year found that this practice is fairly common – 47% of the organizations we surveyed allow their employees to use personal email for business purposes. This is a fairly common business practice when a primary email system goes down, when corporate limits on attachment size prevent large files from being sent, etc. Plus, there are some capabilities in consumer-oriented systems that surpass those of many corporate systems. While some likely use personal Webmail accounts to circumvent archiving or data leak protection systems, that practice is probably not as common as many believe it is.
There are a couple of important lessons that all of us can learn from this story. First, consumer-oriented Webmail is fairly easily hacked – the individual who claimed responsibility for hacking into Governor Palin’s account said that he spent less than one hour on Google and Wikipedia to find out what he needed about her personal life in order to have her password reset. Using personal email for business purposes is clearly not a best practice from a security perspective.
Second, IT departments need to ensure that users employ personal Webmail accounts in a way that is consistent with corporate policies focused on security, archiving, etc. While there’s nothing inherently wrong with using personal Webmail for business per se, it might not be the best choice for all organizations.
Oct 06, 2008
Source: http://www.ostermanresearch.com/ |
