Lessons from Yahoogate

They say you can find anything on Google. Turns out it’s especially useful when one is searching for personal data to crack a Yahoo! Web mail password.  

 

In the remote case you missed it: Vice Presidential candidate Sarah Palin’s Yahoo! Webmail was hacked last week, and the contents were posted on Wikileaks.  Wired reported that the hacker easily broke into Palin’s Webmail, hoping to find incriminating evidence that could derail her campaign.

 

We see this happen a lot. While IT installs email and IM archiving software, the workforce moves their personal and sometimes ill-advised communications to what I would call rogue channels. These channels include Webmail, public IM, Skype, and even Facebook. Employees think that management doesn’t monitor or control these tools and it becomes an appealing place for improper or even illegal activity to occur.

 

Michael Osterman explained this well when he wrote about the lessons IT should learn from the Sarah Palin Webmail hack.

 

More examples of infamous rogue channel use in recent times include Senator Mark Foley, whose IM conversations with a intern cost him his job. Jerome Kerviel, the French banker who alledgedly cost his company $7B, and Scott Sidell, the former CEO who funneled client lists to himself through Webmail.

 

What are your employees doing thru Webmail, personal IM networks and social networking sites?

 

When I ask IT professionals the above question the majority respond (very confidently) that nothing rogue or unsanctioned is happening on their networks. Common responses include, “We block it with our firewall” or “we have a policy against it.”  Then we deploy an evaluation unit and provide a report of actual employee initiated traffic and it becomes clear: hope is not a strategy. 

 

As customers move to adopt Unified Communications platforms from Microsoft, IBM and others, I believe the same issue will exist – employees will use personal systems and corporate sanctioned systems interchangeably.  IT will have the hard task of managing policies and controls consistently across this heterogeneous environment. 

Caught Stealing with Yahoo! Mail?

Does an employer have the right to access an employee’s PC and everything on it? Scott Sidell says no. I read about his situation in the New York Times and Ars Technica. Scott is the ex-CEO of Structured Settlements, who was hustled out of his office after being fired. Apparently, he was logged into his Yahoo! email account when this happened and now Scott alleges that his former company snooped around and copied files from his email account. They found that he’d transferred sensitive company documents, including customer lists and terms of deals, to his personal account. The company also monitored Sidell’s conversations with his lawyers about how to win the arbitration over his firing.

 

A ruling on Sidell’s complaint has not yet been made, but he might find the court on his side, since this case could be influenced by a decision made two weeks ago by the US 9th Circuit Court. According to the recent ruling, personal messages sent via work equipment are off limits to search by an employer unless the employer has an existing practice of regularly accessing the equipment.

 

This case is most interesting to me because Scott was allegedly caught sending company data to his personal account. He just happened to be caught. My guess is that thousands of companies lose confidential or sensitive information this way and don’t even know it. Trade secrets are escaping through consumer communication channels such as IM and Skype all the time. Malicious behavior has always filtered through the “corporate back alley” – a savvy employee who knows which communication routes are monitored, and is smart enough to pick the route where they won’t get caught.

 

This is also another good example of the blurred lines between work and personal communications technology. What belongs to my employer when I check Web based email on the company owned laptop from home?  What can I keep private when I text my friends from my work provided cell phone?  Where is the common ground between an employee’s privacy and a company’s network?  Companies looking to create or revise their Internet policies should clear with employees about how they monitor their communication channels.