The Dark Side of emails


Most people use it on a daily basis, but do we actually use it safely?

Just as a FYI, when you hit send in your email, the email has actually left the building.  Once gone, you cannot recall the email, so you’d better make sure it should have gone.

Some companies have put in measures to prevent staff from sending emails, by having enabled a centralised email profile that only can be used by selected users or have created rules on the infrastructure to prevent users from sending emails externally.  But, ignoring those exceptions, there’s very little you can do to recall an email, once you’ve clicked send.  By the time staff realise what has happened, the damage is done – they have leaked the information.

In recent months, there have been several incidents in many large organisations.  Staff has made serious mis-judged decisions on what to send and emails have left the safety of the draft folder, and found comfort in an inbox somewhere in the World.  Unfortunately, some emails should never have been sent, because the information in the email is incorrect, the recipient email address is wrong or the email was of an inappropriate manner.  Few people actually consider or comprehend the impact such an incident can have on the company.

Some of the more straight forward concerns are obviously that the company may be seen as unreliable, but this could have a financial impact on the company.  Depending on the nature of the email and it’s content, the company could lose clients and revenue, if clients perceive the company for treating data in a laissez-faire manner.

How do you avoid these things from happening?  One of the best ways is to use common sense.  You don’t send a snail-mail to wrong address.  Employees must remember that an email is just like sending a postcard: anyone who wants to find/intercept it will find a way to read it.  So, when sending mails, no matter the level you have in the organisation, you need to consider some basic email ethics and rules:

1.  Financial services firms process vulnerable and sensitive data and must as such take the necessary precautions not to disclose such data.  When staff decide or are asked to send an email, containing sensitive data, then you should double-check the recipient(s) on the TO field.  I would actually recommend triple checking the email address and if in doubt, as the client to email you so you have the correct email address.

2.  Using multiple names in the TO or CC fields will allow recipients to see the email addresses of the other recipients.  Initially, this does not seem too bad, but you need to consider that the recipients may not have given their consent to share the client’s email addresses with a wider community.  It could in worst case allow 3rd party sellers to capture and re-use those emails address for future emails

3.  It is not advisable to blindly forward emails or website links to colleagues, friends or relatives.

  • Firstly, links could be malicious and be a security risk for the receiving network
  • Secondly, forwarding an email could disclose the entire email history, with perhaps some details that should not be shared by others
  • Thirdly, most people don’t really care about forwarded emails, unless they are work related
  • Fourthly, imagine you forward the mail to 20 people and they do the same.  Before you know it, it has created a mail tsunami on the internet, impacting users

Yes, there is content management software you can purchase and deploy, which will check what content and to whom employees are sending emails, but such technological solutions cannot counter human errors such as those described.  Managing such content management systems will soon become a full-time job, resulting in your company having to hire additional IT resources.  Perhaps that’s not a bad thing in today’s economic climate, but it is an unnecessary cost.

However, what is cheap and can be implemented easily is creating awareness.  All you need to do is to outline your main objectives for your email awareness campaign and kick it off.  It doesn’t have to be a fancy poster, flash enabled emails or web sites, but use the resources you have in-house; email system, printers, etc.

Contrary to many organisations, here is some free advice for implementing a more secure approach to your organisation’s email usage, helping you to manage and reduce the risk of human error leading to data loss through email.

  1. Turn off the address auto fill function, making sure that you input the correct email address every time.  If they do insist on using auto fill, then advise staff to check and double-check email address
  2. Before forwarding an email, staff should: review the content of the original email, consider if this is spam and/or delete unnecessary information
  3. Use the BCC field if sending mails to a large number of people. This avoids exposing all the names of those involved
  4. Request staff and client to insert ‘Confidential’ in the subject field, if the content is of a confidential nature
  5. Advise staff not to circulate inappropriate images or other content that may offend viewers or recipients of the email
  6. Users should endeavour not to send financial information using email.  Financial information should be delivered securely and password protected
  7. Delete emails from unknown recipients and do not click on links in spam emails or from unknown sources

Each organisation should as a minimum have an acceptable use policy that outlines what users should and should not do.  It makes it a lot easier to communicate of a policy has been developed.

That said, if your organisation wants to have a more detailed discussion about security awareness, then fell free to contact us; web or 1890 911 211.


Advertisements

Leave a comment

Filed under Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s