The Curse of CC
As Sam lay on his deathbed, he was complaining to his lawyer: "I was an amazing doctor. I saved hundreds of lives. Do they call me Sam the great physician? Noooo. I must have given millions of dollars to charities over the years. Was I ever called Sam the great philanthropist? No way. I travelled around the world in a boat the size of a bathtub but was I ever called Sam the great adventurer? Absolutely not. But sleep with just one goat..."
An old joke to be sure, but easily related to security in your organisation. You can have the world's finest risk-assessments and security policies, the highest budget and the greatest security implementation. Yet all it takes is for one single employee to do something silly, like leave a door open, or press the wrong button, and it's all for naught.
This morning I received an email from a salesperson of a major multinational telecommunications firm (with about $4 Billion in revenue), following up on an enquiry we made several months ago. Unfortunately, the staff member CC:d her email to about 200 others, from various, fascinating companies, all of whom could now see each other's email addresses.
If the person responsible didn't see their career flash before their eyes within seconds of hitting send, it would have been very obvious when the (none too polite) replies came back a few minutes later.
There's no doubt it was an innocent error, and there was no malice intended, as distinct from say a professional spammer. However, the scourge of spam is such that nearly every person on that list would have been furious at what happened. At least one recipient has since decided to send his own email out to the group flogging his wares. A far bigger issue exists however, that each person must now be questioning how well the company in question can manage their privacy. Evidently not very well. Similarly, the company itself will be fuming that a large chunk of its customer database has been leaked, quite possibly to its competitors (several of the email addresses appeared as such).
I have received emails in the past from security training organisations and product vendors who have also (foolishly) used CC, thus disclosing their client database. Being a respectable business, we discarded these details and didn't seek to profit from them. However there were various other vendors who weren't as ethical in their marketing.
I use the wonderful 'Spam Gourmet' service (www.spamgourmet.com) to create 'disposable email addresses' which forward to, and conceal my private address. The original emailer who CCd a large group had a one-off address for me, which was only ever given to that security firm. When another product vendor sent me emails, to the same address, and I sent them a polite email asking "from where did you get my address" (knowing full well the answer), they suggested I had given it to them at a tradeshow. Liars! I already questioned their ethics, but insulting my intelligence is about the worst mistake a salesperson can make.
We have all spent plenty of time reading and re-reading a letter before sealing the envelope and putting it in the mail. However most of us have hit send on an email prematurely and then wished we hadn't. Most people have emailed a proposal to a would-be client, carrying on about how professional they are, and then sent a second email seconds later saying "whoopsee, here's the document I forgot to attach". The instantaneous nature of email is such that big mistakes which used to take whole careers to make, can now be made in seconds. Progress!
Smart organisations have clearly defined email policies, which not only reduce the likelihood of mistakes (such as CCing entire client lists), but serve as an educational tool to employees. Much of this makes perfect sense when explained, but is by no means 'common sense' beforehand.
Many users of email, particularly younger employees who have grown up with email, may not appreciate that emails can serve as an official communication from the company (whether or not they have a disclaimer indicating otherwise). A clearly defined policy may serve to inform them of their responsibilities, and that emails can come back and bite them in a way most discussions wouldn't.
A single paragraph, followed up with training, pointing out the hazards of using CC for listing all recipient email addresses (instead of BCC which conceals them) could have avoided plenty of salespeople doing more harm than good with their well-intentioned mailouts.
Effective policies should address, at a minimum:
- The role of email within the company - sometimes it's an inappropriate medium
- user responsibility for email
- appropriate and ethical use of email and content
- unacceptable or prohibited activities
- workplace Surveillance Policies (monitoring of emails)
- disposal of emails
- spam and broadcast messages
These not only improve information security, they can increase efficiency as well. For example, by forcing staff to consider the use of 'reply-all' to group emails, which can cause email quantities to grow exponentially, with limited relevance to many recipients.
Thinking back to the story of Sam the Goat err... Herder, it's important that policies be followed up with training and revision, to ensure that a single slip-up doesn't hurt the company's reputation.
The Commonwealth Spam Act 2003, prohibits the sending of unsolicited commercial messaging within Australia or on behalf of Australian entities. The prohibition reflects the Commonwealth Government's earlier statement that spam:
"is typically anonymous, indiscriminate and global. With these characteristics spam has become a popular vehicle for promotions that can be illegal, unscrupulous or use tactics that would not be commercially or legally viable outside the virtual environment. Some of the key issues raised by spam include privacy, illegal/offensive content, misleading and deceptive trade practices and burdensome financial and resource costs."
While we all know spam as those emails we receive selling various adult medication, porn and college diplomas, it is very easy for a company to think it's simply engaging in marketing, but who are actually sending unsolicited bulk email - also known as spam.
Larger companies with dedicated marketing divisions are usually aware of the restrictions, as they would be with any mailing campaign. However small to medium business may not be. Then again, there are those who simply don't care, like the ones who place flyers in my letterbox marked very clearly "no junk mail".
Companies should be aware there are very serious penalties, which have included one penalty of $4.5 million against Clarity1 Pty Ltd and $1 million against their managing director Wayne Mansfield for contravention of the Spam Act.
Regardless, organisations need to be as careful and diligent with their emails as they are with any other form of activity. If you wish to engage in email marketing - a highly useful sales tactic, speak with an expert beforehand to ensure you are complying with the law, as well as likely increasing the return on your investment in marketing.
Tools for Protecting Privacy
There are a number of tools which can help organisations protect their privacy and comply with relevant legislation. One of the main tools is mail filtering. Most organisations employ some form of filtering on their inbound email, to reduce viruses, spam and other malicious content. Far less used however, is outbound mail filtering which can ensure users do not (for example):
- send internal information (such as company databases or intellectual property) to an outside email address
- send sensitive information without first encrypting it or
- accidentally send emails to large mailing lists, for example by preventing CC to a large number of people with non-company email addresses. So you could CC twenty co-workers, but not accidentally email twenty external clients.
Not only do these prevent embarrassing mistakes, they also reduce willful theft of company information (or at the very least, highlight the likely responsible parties). Overall, these systems, when properly implemented, can reduce legal liability as well as protecting the company's financial interests.
As a quick-fix, I would also recommend companies consider setting their email programs to send email every few minutes, rather than immediately when "send" is pressed. That allows some chance of recovering an inappropriate email before it gets away.
Like any form of security technology though, software tools are not infallible and serve primarily as an additional layer of defence, in addition to human behaviour, company policies and internal compliance programs.
It is these human-related areas which are often forgotten about. Many companies now employ technology to prevent the receipt of media files and images, knowing that they are (more often than not) non-work related. So staff have found ways around these, such as hiding them inside word processing documents or PDF files. In other words, it's an arms-race between the enforcers (IT Security Management) and their subordinates, each trying to outsmart the other.
But hang on - most staff want to do the right thing. Good education will usually make the problem go away with far greater results than throwing dollars at a filtering system which just aggravates people. Fundamentally, we want to trust our staff and give them responsibility. This is why most businesses no longer use 'bundy clocks' for office staff. Organisations need to work hand-in-hand with staff to protect the company's interests - which in turn protects each employee.
But for heavens sake, do think before hitting send.