The next time you're chatting with the CEO of your company, find a way to work this question into the conversation: what percentage of the organization's official business do you conduct using your personal email account?

On this topic, let the cyber-scandal involving Hillary Clinton serve as a cautionary tale. The former U.S Secretary of State is under fire for exclusively using her personal email account in all job-related matters, according to The New York Times, which first reported the story.

"Mrs. Clinton did not have a government email address during her four-year tenure at the State Department," the report says. "Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act."

Use of private email in an official capacity is not illegal. But it is intended to be used only in times of emergency, such as server failure, according to the Times.

Furthermore, all sent and received emails using federal officials' personal accounts are supposed to be archived on government servers for record-keeping purposes, as the National Archives published online for the period that included Clinton's time as the nation's top diplomat (2009-13).

According to CNN, Clinton's emails to government accounts would have been flagged for archiving on the recipients' end. As for the emails sent to non-government accounts, well, that's where things are murky. It is unlikely those communications were automatically retained.

Clinton's advisers reportedly reviewed "tens of thousands" of email pages and determined which ones to provide the State Department. So there's the matter of transparency, which isn't something to take lightly.

But that's not the only reason to feel uneasy about this story.

What security measures were used to ensure Clinton's electronic communications were protected? How susceptible was Clinton's account to hackers?

Downplaying the potential of cybercriminals cracking the account, officials that spoke with Business Insider say "because of these hacking risks, Clinton used an email service that provides more robust security options than those available on typical consumer email accounts."

However, IT security site Tripwire offers a far different take: "This is shadow IT at a grand scale. With no visibility into how Clinton's emails were being secured, it would be impossible for the government to ensure the communications were not compromised by espionage."

It's also worth noting that Clinton spent considerable time traveling abroad while serving as secretary of state. NBC News reported she visited 112 countries in four years — presenting ample opportunity for emails to be intercepted.

Your business may not deal in matters of international diplomacy, but there's still a valuable lesson all businesses can learn: you can't be too careful when it comes to data security.

So, if the idea of putting your CEO on the spot sounds intimidating, think about sending an email.

Just be sure to use your work account.

Author: Mark Thaler

Back in my day, a good antivirus (AV) product was all you needed to protect a network. Patches were mostly bug fixes, and the Internet was relatively safe.


High-speed Internet changed everything. Back in the days of dial up, the bandwidth did not exist to provide a cybercriminal with decent access to your network. The connection wasn't 24/7 either. Users connected to the Internet, did what was needed, and logged off so someone could use the phone line to make a call.


Ah, the good old days...


Fast forward 20 years or so.


Like Bob Seger sang:Twenty yearsWhere'd they go?Twenty yearsI don't know


Sigh, where did they go?


Anyway, the point is, today almost every computer connects to high-speed Internet, 24/7. This change alone paved the way for cybercriminals to have access to unprotected machines all over the world.


AV simply is not enough anymore, and it is a reactive defense rather than a proactive one. AV protects you only after you've been infected.


Cybercriminals tend to target operating system and third-party software vulnerabilities. This means that patch management has gone from an optional method of keeping up with the latest fixes, to a necessary (and more often legally required) proactive security measure.


Simply put, if you have a network, you have to patch. This has become a full-time job.


The next issue is that not all the sites out there are friendly. Cybercriminals know that users will be drawn to anything that is free. Many of these sites are designed to lure unsuspecting users into a place where their machines can be compromised for data or even taken over as in the case of a botnet. While the user feels they are lucking out watching "Game of Thrones" for free, behind the scenes there very well could be compromising software installed, waiting to be fired up and used at the right time.


Today, a layered security approach is essential. What does that look like?


First Layer: Web Filtering


This will help prevent users from going to compromised or fraud sites. Now, you may have an appliance that does this, and that is great. However, keep in mind that one infected remote user can unknowingly smuggle in something that can infect your whole network. You must be able to apply the same filtering to everyone.


Second Layer: Patch Management


All the security software in the world won't help you if an attacker is able to take control of your OS or browser based on a vulnerability. Patching is absolutely essential.


Third Layer: Antivirus


What was once the first and only layer has now become the reactive security layer. This defense kicks in if a criminal has managed to get past the first two.


Conclusion


Cybercriminals today have the world at their doorstep. They are looking for quick and easy access. Covering the three layers mentioned here makes you far less attractive to them. There are too many networks out there that are not taking this approach.


Don't be the low hanging fruit, keep your users and your business protected.


Author: David Ianetta