When most people read this title, they have no idea how these three items could be intertwined, so let me explain.
As you may have heard or read in the newspapers, Deloitte (one of the “big four” accounting firms) suffered an internal email system breach. Since all their email correspondence may have been stolen, it’s time to reassess how we craft our personal and corporate emails to assure that if our emails end up on the internet we will not suffer any ill effects.
Gone are the days of having a strong comfort level that Gmail, Yahoo or even your company is protecting your messages from being read by unauthorized people. Unless your messages always remain encrypted, you now must consider a worst-case scenario where your emails may be accessed illegally by a hacker or any other person.
As an adjunct professor at Rutgers University on cyber security, I tell my students that hackers look for the path of least resistance. If they can use some already-developed hacker code to get into systems, they will use that method, as opposed to, for example, trying to force their way into a victim’s network. Getting access to an email server always provides a wealth of information that can be used for further attacks, including phishing.
If you work for any sizable organization, you were probably told you must use only company email systems for company business, since they are protected. Once these systems are breached, it no longer serves as a secure method of doing business.
I vividly remember an email hack back in 2011 of a large security company that we were going to engage with. When the hackers announced that they were going to release all the emails from this company onto the internet, the first thing that came into my mind was what confidential information had we put in those emails? I also wondered if there were any comments that would reflect badly on me or my staff or had anyone written poorly of me in their emails. Needless to say, it was a scary moment for me.
As many of us have learned, we are “videotaped” in this world and the tape is played back in Olam Haba. When we send an email that has derogatory or rumored information about a friend, co-worker or anyone else, we need to think about how we would feel if that email was displayed for everyone to see on the internet. What would it say about us? Even though you may think you have deleted an email, once you send it, it may always be somewhere including your email provider or your company’s backups.
After the incident above, I decided that I needed to review my emails for more than the basic security items I usually look for. I wanted to be sure that if I needed to discuss an issue with an employee/friend/family member that may not be taken the same way as a conversation (same can be said about texting), I would make sure to either address it in person or over the phone. I did not want to be Motzi Shem Ra in an email about anyone.
I also put together a list of what I needed to review before I sent out an email, whether it was from my Gmail or business account. Here are some of the things I check for and I’m sure there are more you may think of.
1) Never send out an email when you are angry at the recipient or someone else that is listed in the email or for that matter anyone. Walk away from your computer, and after you calm down, compose the email making sure you are not writing things that may be considered Loshon Hara etc.
2) Always review an email as though it might be read by someone other than the intended recipient. This could be a co-worker of the recipient or some other person.
3) If you work for a company, make sure that if you are including any confidential information, it is protected according to your organizations data classification standards.
4) Make sure not to criticize people in your email; act as though that person is standing in front of you. If you must say something that is critical about someone it is probably better to pick up the phone and call the recipient and explain it to them.
5) Make sure that your email is addressed to the correct people. Many times, people just type the first few letters of a name and the autotype of the email program will fill in an unintended recipient. You don’t want to send something personal to the wrong person. Again, remember that if it is personal and you wouldn’t want it published on the internet, pick up the phone
6) When you Bcc (blind carbon copy) someone, don’t expect them to know not to forward it to someone else unless you tell them in advance. A better solution is to send the initial email with a note not to send to anyone outside of the recipients and then forward a copy to that person that you would have otherwise Bcc’d.
7) Finally, before hitting send think if there would be any ramifications for you, your family and friends, co-workers or your organization if this email were published on the internet for all to see.
Besides the embarrassment that we or others may face if we send inappropriate emails that are then published, it may be a good time of year to adopt either some or all of the steps above. I know I have.
By Moshe Zahler
Moshe Zahler is the chief information security officer of Proactive Cyber Security, LLC, which assists small- and medium-sized businesses in protecting their business. He has practiced cyber security for over 20 years and has worked for corporations such as American Express, Deloitte, Republic National Bank and HSBC Bank. He is also an adjunct professor at Rutgers University and is a speaker at international cyber security conferences. He can be reached at [email protected].