Insider Threat Example: Leaked Clinton Memo Provides At Least 5 Good Security Lessons

Mid-last week it was widely reported, probably more so in the national news than here in Iowa, that one of Hillary Clinton’s top campaign folks had written a memo to her urging her to skip Iowa and focus on other states. This leaked memo was the grist of much discussion on the political talk shows over the weekend.


Clinton has been here in Iowa so many times that she’s almost a resident. This leaked memo did not make much difference to the folks here in the heartland; her actions speak much louder than her aide’s words. Plus, I think Clinton handled the leak very well (read about it in the article).
However, if she had not been here much, this could have been very damaging to her campaign in Iowa.
But, it brings up the question…how did this private memo get leaked to the press in the first place?
Can you imagine all the business memos you have in your organization, between your business leaders that reveal their candid thoughts and often not-too-good ideas? What if these memos got into the hands of the press, or even more likely in today’s YouTube generation, got posted to a website?
This is another good example of the insider threat.
The article did not report how the memo was leaked. So, let’s consider some of the possibilities, given information is commonly shared electronically, and that there are many campaign offices throughout Iowa, along with all the other locations throughout the U.S.
1. Someone may have sent the memo as an email attachment to another campaign member. That person may have forwarded the message, along with the memo, so someone outside the campaign, who in turn may have sent it to the Des Moines Register reporter.
LESSON: When you send information via email you have no control over it once you hit the button. Do not send confidential information within clear text email messages or clear text attachments.
2. Someone may have thrown away a hard copy printout of the memo, and someone digging through the trash, perhaps even a reporter, may have found it.
LESSON: Do not throw papers containing confidential information into the trash without shredding.
3. Someone may have had access to the storage location on the server who should not have had access.
LESSON: Give access only on a need-to-know basis. In other words, prohibit all access by default, and give access as necessary for job responsilities.
4. The memo writer himself may have leaked the memo on purpose. He could have been in cahoots with someone in another campaign camp, or he may be disgruntled.
LESSON: Use logging to know who is doing what with your information. Provide ongoing training. Apply sanctions consistently. Do appropriate background checks prior to hiring employees who will have access to sensitive information or mission critical assets.
5. Someone who had access to the memo may not have known that they shouldn’t give the information to anyone outside the organization.
LESSON: Have strong information security policies; communicate them effectively and on an ongoing basis, meaning you need to put forth effort to have a comprehensive training and awareness program.
These are just 5 possibilities; there are of course many, many more…feel free to offer some of your speculations!
There is also a good incident response lesson here; don’t wait until an incident happens to convince the public that you should be forgiven for allowing it to happen.
Visibly practice exemplary information security and privacy habits, and promote your dedication to the safeguards to your customers and the public. Then, if an incident does occur, they will know that you were being proactive to keep bad things from happening.

Tags: , , , , , , , , ,

Leave a Reply