The Perils of Your Own Mail Servers

I was at a professional gathering recently when the subject of email security came up. I was surrounded by a group of lawyers that knew next-to-nothing about technology and it made me curious about their thoughts on email servers. Going around the room, I found that just about everyone was maintaining their own email servers because they felt it was “safer”. There is this bias when it comes to data that somehow privately owned servers are safer despite the fact they are connected to the same Internet populated with the same bad guys everybody else is facing.

While I think there may be some private servers out there that are as well protected as the more reputable email providers, I think that is the exception, not the rule. My impression is that most of these private servers are instead on aging Dell box in a closet connected to the Internet that may (or may not) have the most recent security patches installed and may (or may not) have an IT person baby-sitting it once in awhile. I think there is this impression that despite this lackluster security, they are somehow safer than email services that have full time professional staff holding the barbarians at the gate 24/7. As the Democratic party found out, they’re not.

Yesterday, John Gruber linked to an article by Josephine Wolff that agreed.

The DNC is never going to be the equal of these companies employing thousands of engineers and managing millions of email accounts when it comes to security, so perhaps it should stop trying and let the experts take over.

If you’re running your company’s email on a private server and haven’t been compromised (or at least not aware of being compromised), there’s a good chance that the reason for your good fortune is not because of your security but instead the fact that you are not as juicy of a target as the DNC. Maybe it’s time to reconsider.