Ever wondered why you keep getting spam emails? Well its almost the same reason that you get flyers and unsolicited mail in your Canada Post mail box, Organizations pay Canada Post to distribute junk mail into your mailbox just as organizations or individuals pay companies like Yahoo, Hotmail, MSN and even your local Internet Service Providers (ISP) for your email addresses. The main difference is that to get your email addresses the money is paid directly to the ISP’s employee that has access to your email accounts and is willing to compromise your confidentiality.
Why is this allowed? Well the truth is…it is not!. These are employees who are trusted by such organizations to do their job and manage your emails with the expected confidentiality required however since the external financial and other rewards out weigh the employee’s salary this will continue to happen. Over the past two decades many organizations in their rush to be competitive and bring internet services to market have failed and continue to fail in the implementation of proper administrative and super user access monitoring controls!
What can organizations do? Well here are some of the things that should be done as best practices:
- Proper background checks for new hires (e.g. Validate the experience and credentials…especially for recent immigrants!)
- Identify and verify the superuser and administrative access accounts to your email servers (as well as to other business critical systems). Remove superuser and administrative privilages from individuals who do not need these to perform their job
- Periodically review the validity of superuser and administrative accounts (e.g. Employees change roles or leave companies and their accounts might still be active)
- Implement logging on critical systems like email servers to record and be able to trace who accessed the server and when if the need arises
- Implement monitoring tools that can read these logs and trigger alerts when something out of the ordinary happens on the servers (e.g. failed logins, excessive data being copied etc.)
- Implement periodic reporting so that operational managers are forced to review the activity on their email and other servers to the point where they can recognize normal from abnormal activity or statistics.
What can we do? At the moment apart from the tedious process to configure spam filters on our individual email accounts we can take a bit of comfort knowing that their are some industry laws designed to loosely protect us. Laws like PIEPEDA and the Sarbanes Oxley (SOX) act offer some motivation for publicly traded and other organizations to implement proper controls to prevent breaches to their internal systems like email. However even though organizations do try to abide by these, the enforcement of security controls by such organizations are still weak.
Due to the current state of the global political environment, Your email or internet privacy is not a priority. Take the necessary precautions to understand the organizations and people that request your email. Install Antivirus and Anti malware protection on your computers, tablets and other personal devices. Be weary of apps that you download on your phones that request access to your personal local address book. Once access is gained to your information, it takes only seconds to upload this information to the internet and make your email address and other private information globally accessible.