Read it and weep

3 May 2005

Whenever we receive a letter, the seal on the envelope gives us reasonable confidence that it hasn’t been tampered with, but for most standard emails that level of protection isn’t there. Most of the time we probably don’t even give this a second thought as we hit ‘send’, regardless of the contents of the message. But should we care?

According to Pat Moran, partner in the technology and security risk services division at Ernst & Young, email snooping is on the rise in Ireland. He stresses that this takes place within the confines of a company — not home users. “There’s been a trend in the past three or four months where we’re finding that users are reading or opening emails that do not belong to them,” he says.

“In forensic projects that we have done, quite a few are popping up where users have been reading unauthorised emails. It’s a new trend that has appeared recently,” Moran relates. The bad guys are not some shady external group indulging in electronic eavesdropping: in cases that Ernst & Young has investigated, the main culprits have been network administrators, whose access privileges grant them the ability to read emails

belonging to anyone in the company, up to and including senior management. “The number of organisations that don’t realise that the IT administrator can read the chief executive’s email is astonishing,” Moran says. “Organisations don’t get that yet — they’re beginning to get it slowly.”

In fairness, Moran acknowledges that there are often very good reasons why IT administrators are involved in scanning emails sent by or to other people. The instances he refers to are where someone in a position of responsibility is abusing their authority. “If you’ve got an IT person doing things they shouldn’t be, that’s quite a serious matter,” he says.

The position and skills of an IT administrator can complicate the situation when the time comes to pursue the matter further. “The range of access and privileges they have makes it hard to investigate. The first place you look is on the server but you have to ask the administrator for the password,” Moran points out. The administrator would have to be made aware of any investigation but knowing this gives them a head start, affording them the opportunity to cover their tracks. “Because they have that level of access, it’s a threat.”

Moran recommends three courses of action to curtail the risk. The first involves careful selection and recruitment of IT administrators. “Be careful that the person you are taking on is a trustworthy, credible character,” he advises. “A number of organisations outsource their IT administration or take on contractors. When you consider that these guys have the keys to the kingdom, not enough effort is being spent on recruiting them.”

Companies should also monitor the administrator’s activity. “Organisations should be able to monitor independently the work of their IT people. Apply the same guidelines to IT as you would to the finance department; audit them on a regular basis,” Moran urges.

Lastly, the network administrator or email administrator must be given their own specific password that will account for their actions when online. According to Moran, in several cases administrators have used a default or generic password. This creates problems if the company is obliged to prove the identity of a person accused of snooping. “There’s a number of cases we see where the network administrator uses the ID ‘network1’. Let’s say he or she is suspected of accessing the CEO’s email — we see that network1 went in, but can we prove who that is? It could be three or four people in the IT department. What you really need is firstname.lastname so you have an audit trail.”

Moran isn’t targeting an individual group for the sake of it; he backs up his assertions with personal experience — at least 50pc of cases that Ernst & Young has investigated involve IT personnel. “They’re the highest proportion of all the business departments that would be in the overall group [of culprits],” he reveals.

The problem, as Moran sees it, stems from companies not dedicating enough time to carefully selecting people to fill these positions. It’s also partly a cultural issue, where the people filling IT administration roles are either third parties, contractors or college graduates who don’t understand the company ethos.

Moran says these cases tend to occur in the technology industry. Another trend he has seen is that the smaller the company, the greater the risk. “You tend to find a lot more snooping goes on in a smaller organisation than a larger one,” he observes. “We are moving now to having a strong culture to outsource and this is just one of the risks,” he says.

According to Moran, two things happen as a result: the organisation finds out and reacts by suspending or seriously talking to the employee, or else it’s discovered as a result of a fraud, because the company finds out that information has got into certain people’s hands.

He cites the example of an unnamed company A that is being acquired by company B. Company A is supported by an IT group, the IT group has access to the email server and can read all the messages. They hear of the potential buyout by looking at the emails of the CEO and the chief financial officer. They figure out who company B are and try to find out whether company B will have jobs for IT people. Word gets out that a merger is in discussion and the whole deal is scuppered. “It’s quite a real threat, it could happen to any organisation,” Moran states.

In simple terms, businesses need to be aware that such a threat exists and in line with good practice, determine the extent of any potential threat. To counter the possibility of internal espionage, some organisations have opted to fragment the network for the top executives, so that it’s separate from the corporate network and is used for sending highly confidential documents and emails, away from the eyes of most staff. Moran confirms that this is happening in some cases in Ireland. “It’s also a trend in the UK, where networks for very senior levels of management are isolated for that very reason,” he says.

Do you know your IT administrator can read all your emails? You need assurance that if they can read it, nothing bad will come of it, or that you can find out if they have been reading it

By Gordon Smith