Skip to content

To Catch A Thief

August 13, 2013

Rodney, we need access to an employee’s email to do an investigation.

Okay, have your investigators get with Ammon and we’ll get you access to the suspect’s mailbox.

Well, that’s the problem. We can’t let your team know who the suspect is. That’s not a problem is it?

It was my least favorite responsibility as manager of the email team for a large non-profit corporation. Our team held the keys to the email system. So, when someone needed to do an investigation either initiated by law enforcement or by our own internal auditors, they had to come to my team to get access to users’ mailboxes. Investigations might be for corporate espionage, pornography, theft, or any number of things.

Two important things you should know about corporate IT, and email especially:

1. Your corporate email is NEVER private.

2. It is impossible to lock out your IT staff.


Nothing is Private
The non-profit I worked for was pretty conservative. They had a one-strike pornography policy. So, I was constantly amazed when we would find people who were either surfing porn, or had it in their mailbox.

Sometimes, people think they can get around the filters. Or, they think, if they store their email locally (called a .PST file in Outlook) that some how it’s not findable. Trust me, they can find it.

And don’t think that deleting it quickly helps. If you are being investigated, your corporate IT guys will implement a feature that makes a copy of everything you send and receive. The copy of incoming email gets made before it ever arrives in your mailbox. If the email is coming from inside your company the copy gets made by the email router, called a Message Transfer Agent, or MTA. The copy is recorded before you even log in. And if the feature is configured for it, the copy sends up a red flag and the message never arrives in your box, but instead goes straight to security or your boss or HR or whomever.

If the email comes from outside the company there are multiple places to “split the stream.” The first is at the perimeter. Your company has a filter program that looks at every message to determine if it’s spam or not. Those programs can also make a copy, or quarantine a message, or notify security or HR. I know your company has one of these programs because your mailbox isn’t 90% spam. Without the filter program, your system would be inundated with spam and viruses.

Once it gets past the spam filter it gets routed by the MTA.

Spam filters and MTA’s can make copies based on almost any administrator-defined criteria. They might check to see if an email is from a competitor, to track for corporate espionage. They might check for key words, like the name of your next big product. They might check for attachments. And don’t think encrypting them will save you. If the filter can’t open the file, the default action for most is to quarantine the file and notify someone.

Filters can even search for credit card numbers or Social Security numbers. Your email is NEVER private.

And that doesn’t even address the fact that administrators can log into your mailbox without your knowledge. They could be in your mailbox right now, and there is no way for you as a user to know.

You Have to Trust Someone
For most companies it’s best to hire trustworthy people to work in your IT department because you really cannot lock them out of the system.

The problem is that the people you are asking to lock your system know how to unlock it. There are some things that you can put in place to help. For example, for some of our sensitive systems, we granted access using an electronic security group. Anyone who was a member of that security group could get access to the system. The group was normally empty. Whenever a user got added to the group, we all got notified.

So, if someone needed to access that system, they’d add themselves to the group and we’d all get alerted. When they were done, they’d remove their name from the group. There are ways around this. For example, as an administrator you can turn off notifications from that group. So, to protect against someone disabling notifications for your security group you could put a tripwire on the Notifications tab so that when the notifications got removed, a group would be notified. But, then someone could go further upstream to disable that notification and so on. Really, you have to trust your IT group.

And that brings us back to my meeting with our security folks.

My engineers were the only ones who had permission to give someone access to a mailbox.

Why can’t my engineer know?

Well. . .we’re not even sure there’s a violation. Someone was walking past the office of a senior executive and thought they might have seen something inappropriate. We don’t want to risk a false rumor getting started. Not that we think your engineer would. .

No, I get it. Let me get with my team and we’ll see what we can come up with.

Eventually our solution involved a lot of trust. Ammon, my engineer, met with the investigator. Using Ammon’s login, Ammon showed the investigator how to grant himself permission to my mailbox as a test. Then, Ammon left the room and the investigator used Ammon’s login to grant himself access to the suspect’s mailbox. Three days later they got together and reversed the process as Ammon showed him how to remove his permission to view my mailbox. After Ammon left the room, the investigator looked up the suspect and removed himself.

We never heard if it was a valid complaint or not. . .and we preferred it that way.

Like I said, it was the least favorite part of my job.

Rodney M Bliss is an author, blogger and IT Consultant. He lives in Pleasant Grove, UT with his lovely wife and thirteen children.

Follow him on
Twitter (@rodneymbliss)
Facebook (
LinkedIn (
or contact him at (rbliss at msn dot com)

One Comment
  1. Good post.

    To make matters worse for IT management, the advent of cloud/portable storage (dropbox, sky drive, thumb drives, etc) makes it nearly impossible to track employee shenanigans. Sure you can block those cloud services, but where do you draw the line between security and embracing new technology? — We keep copies of every single email that comes and goes (for seven years). It’s interesting that people still find ways to get canned for dumb things like pornography, yet HR regularly asks for access to email, sometimes followed up by an account termination requests.

    It’s getting easier to be an idiot at work, that just means we have to work that much harder to protect company interests. But like you said, it’s a lot easier to hire people you trust in the first place.

Leave a Reply