How to Avoid Your Corporate E-Mail Monitor: Mike Murray

The key is to think like a hacker, and a hacker’s first job is reconnaissance. You have to figure out your environment. I’ve seen rigorous companies and I’ve seen companies that don’t monitor anything at all. Suppose I’m having an office affair and I want to hide it. I actually met my wife through work. We were trying to keep it secret. The first thing I would do is sit down at lunch with the IT geeks, specifically the ones that run the mail server. I would ask them, “How do you find stuff like this?” to find out what kind of monitoring they’re actually doing. Do they do a lot of internal HR investigations? Do they do any data leak prevention? You can also go on LinkedIn and Facebook and look at the résumés of your IT staff and see if any of the data leak prevention tools are named.
Obviously it’s best to get off the company e-mail system and have your conversation on some external account. They can do screenshots of your computer screen, but that’s very resource-intensive. You’d need someone looking at the screenshots, frame by frame. If you were under a ­serious investigation from HR, they might go to that step. But if you have a 50,000-person organization, they can’t possibly monitor 50,000 computer screens.
The way a hacker evades these filters is to look as normal as possible. You want to look innocuous and say little out of the ordinary. But if you send a Gmail from your noncorporate cell phone, you’ve evaded all of the corporate monitoring. If you really want to get away with whatever you’re doing, you’ve gotta do the recon. The hackers that do the worst job skimp on the preparation up front. — As told to Keenan Mayo 

To continue reading this article you must be a Bloomberg Professional Service Subscriber.