Did you ever send an e-mail that you really didn't mean to send? It starts like this: You receive an irate e-mail from your boss, coworker or so-called friend. The e-mail is derogatory, inflammatory or demeaning and it really, really gets under your skin. You hit the reply button and start to type your equally inflammatory reply. As you are typing your response you say to yourself that you are going to type what you feel now and then retype it later, taking out all of the expletives. Then it happens; you click the send button, accidentally, of course. Within minutes, you get a call demanding that you explain your response. Sound familiar?
I see this happening more and more in business. I think it has to do with the way we do business and the speed at which our tools work. Admit it, when you send an e-mail to someone, you expect a response back as soon as possible. Many people never take the time to spell words correctly, even though there is a spell checker. To prove my point further, people use those silly abbreviations like "r u there" rather than taking the time to spell out the full words. We live in a fast-paced world.
If you have ever been the perpetrator of this innocent but stupid accident, don't despair, you won't be the only one put in corporate timeout. An office worker who works for Patrick Fitzgerald, a U.S. Attorney in Chicago, sent an e-mail to the media that contained the names of 24 confidential witnesses involved in a federal probe. In October of 2007, the U.S. House's Committee on the Judiciary released the names of 150 whistleblowers who sent in tips about abuses at the Department of Justice. In 2006, the Director of Admissions at the UC Berkley Law School accidentally sent out letters of acceptance to all 7,000 students who applied to the school that year. A very efficient way of notifying students on being accepted - except only 800 students should have received the congratulatory letter. Needless to say that multiple letters followed apologizing for the mistake.
We can look at these incidents and think, how dumb can you get? It's the really dumb things that we do that put our organizations at risk. If we look at the UC Berkley Law School example, that could have been 7,000 Social Security numbers that were sent out instead of acceptance notices.
As a security professional, I hate to hear about these types of security breaches because they are hard to deal with. In these situations, I find it best to use people, policy, process and technology to come up with a solution:
People: As part of your training program, trainers should include coverage of incidents like those mentioned above. Awareness is very important.
Policy: As part of your Acceptable Use Policy, include a statement about sending company intellectual property through e-mail.
Process: As part of your training program, teach employees to create drafts first. Any e-mail that could go out to a large group should definitely be made a draft and reviewed by multiple people before sending.
Technology: If all of the above fails, a script could be created that pops up a message after you hit the send button to ask, "Do you really want to send this?"
You have to do a risk analysis on these types of potential breaches to see what it would cost to prevent them. Just keep in mind what it would cost in lawsuits and losses to your organization's reputation if they did occur. I am cautiously hitting the send key now.