Safeguards for sending email to the wrong person

pma111
pma111 used Ask the Experts™
on
We have had a couple of issues whereby users (due to outlooks auto name feature – no idea what the technical term is but in the to field there if you enter S, for example it then pre-populates people you have emailed before whose surnames begin with S) have mistakenly sent data to the wrong people. Fortunately this has as yet not been sensitive data but does appear to be a disaster waiting to happen.

Our managers are keen to incorporate any attachments with sensitive data to have password protection on them which must be communicated to the other party via another means, i.e. phone call. I am aware of the limitations in terms of say a docx password as they seem easy to crack.

But what other solutions are there that are idiot proof? I.e. to safeguard you the company from someone naively sending the email to the wrong person? What can be done to address this issue? Anything built into outlook/exchange that can help, or additional tools. Someone mentioned digital certs but I cant see how that helps, I just see that as encrypted to prevent interception? Whereas in this case interception isn’t the worry its sending to the wrong person, who will just get it plain text in their inbox?

Please keep answers low tech management freindly.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consultant
Commented:
This is a training and management issue.  Sounds flippant but the answer is management has to communicate to the users that they are accountable for the data they send via any means.

This is no different than if someone presses the wrong speed-dial button on the fax machine and sends a sensitive document to the wrong recipient.  The situation is virtually the same and automation alone can't fix the problem you are trying to address.

The key is user accountability.

 - Tom

Author

Commented:
I wasnt sure if there was any technical solution whereby the recipient needs to do something to open the data they receive via email. Hence the idea behind passwords on the attachments, not fallproof but probably better than nothing? I dont know enough about the tools like PGP aside from they encrypt the data and prove the emails integrity, wasnt sure if any features in tools such as PGP could assist .....
Tom ScottConsultant

Commented:
PGP and similar tools usually key on the recipient.  That is, if one encrypts a message, and any associated payload, the resulting message is decryption is specific to the recipient.

Further restated, the recipient would have their own key and just because the sender mistakenly selected the recipient, the software "does not know that" and the recipient's personal decryption key will work just fine.

There are a number of technical tactics that can be used, but once folks get used to a certain set of technical/procedural steps, they start to fly on autopilot.  To some extent the more complex the task put in front of a user, the more likely they will rush through it and make mistakes including sending sensitive information to the wrong destination or destinations.

FIRST and FOREMOST, this is a training and management issue.  Automation has its place, but it never replaces good training, consistent accountability AND managerial consistency ("spine").

Soap Box Warning:
Sorry to put a fine edge on it, but...  Time and again I come across managers and managerial groups that want to replace training, accountability and sound management practices with automation.  The recurring motivation seems to be a desire to avoid the discomfort of forcing someone to do their job through "positive and negative reinforcement".  Everybody wants to be liked and managers are no different.  However, they, their staff and company lose efficiency and may just plain fail as a result.  Further, the end result is nobody is happy in the long run.  This is key because after a while employees start to rebel against being treated like spoiled children, often paying even less attention to detail.

 - Tom
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
I agree with you Tom I really do, but out of interest:

>>There are a number of technical tactics that can be used,

I would like to hear about these if you are willing to share?
Commented:
go Tom!

not to hijack this thread... but just wanted to agree...

IT staff just keep on getting hammered with more and more demands to keep other people from having to work so hard.. umm... if you call being awake working hard.

I sometimes have to just say no, at the expense of my job... otherwise it's the expense of my sanity and personal life, and at the expense of more important, core job duties.

so.. the 'spine' has to be present at all levels... management, IT staff, and end users.

Author

Commented:
I agree with you both but the question was to explore any technical solutions that can assist which tom has hinted at above....

Commented:
Here is a link with some methods to clear the cache.

it is not completely automated, however, with a couple of the methods, you might be able to script a solution.... especially Outlook 2010, but maybe even 2007.


http://support.microsoft.com/?kbid=287623

Commented:
Easier to just disable it altogether though.

In outlook 2007 and 2003
click Tools,  email options, advanced email options,
then, clear the Suggest names while completing To, Cc, and Bcc fields check box.

Commented:
In Outlook 2010,
Click the File menu and Select Options.
In the Outlook Options window Click the Mail tab.
Scroll down roughly halfway until you see Send messages. Uncheck the Use Auto-Complete List to suggest names when typing in the To, Cc, and Bcc lines box.

Optional: To clear out the Auto-Complete list, simply Click the Empty Auto-Complete List button.

Commented:
You can do this with group policy I believe, but may have to add some .adm or .admx file

with many users, probably worth the effort.

Commented:
Here is a link for encrypting messages if you'd like to pursue that option.


http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

Commented:
I have a Barracuda spam firewall. It has some capability for encrypting messages.
Could be an option for you....


http://www.barracudanetworks.com/ns/news_and_events/index.php?nid=53

Commented:
and lastly, here is information for using Exchange 2010.

it has promise, but comes with some set up effort.


http://technet.microsoft.com/en-us/library/dd638140

http://technet.microsoft.com/en-us/library/dd351212.aspx

Commented:
Are these the suggestions/solutions you are looking for?
Top Expert 2016
Commented:
How to protect sensitive data

Any machine that contains sensitive data is to be on its own network and not to be accessible by any machine that can be connected to the internet.

Disable all removable media that is writeable.

Set up security controls so that any sensitive data cannot be accessed without the person having a need to know the information from having access.

Set up security controls so that sensitive files cannot be emailed or otherwise copied

Set up a DRM security control that controls access to the files that will not allow copying, saving, printing.

Use public key encryption to encrypt all attachments. Symantec Endpoint Protection/Pretty Good Privacy

Put the contents of the attachments into another container i.e. zip/rar/7zip that is password protected. Password must be sent via other means, if file is sent via email then the password cannot also be sent via email.

Disable the .nk2 Autocomplete function.

Lastly but most important, staff training and accountability.

Author

Commented:
>Use public key encryption to encrypt all attachments. Symantec Endpoint Protection/Pretty Good Privacy



Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?

Author

Commented:
>Set up security controls so that sensitive files cannot be emailed or otherwise copied

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?
Top Expert 2016

Commented:
Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?

All attachments are encrypted, with the receivers public key and your private key, the receiver must have a copy of your public key and use their private key to decrypt the file. This proves that it was sent by you and also that it is being recieved by the legitimate recipient.

The problem that I can see here is if Supplier A, and Supplier B are legitimate recipients and the keys are shared and a document meant for Supplier B is sent to Supplier A it will be encrypted with Supplier A's keys and can be decrypted.

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?

The only person that can access the file is an employee that requires access to the file in order to perform their job, and with a DRM policy only managers or specifically designated employees can email the file
Encrypting the files and selective dissemination of the passwords using zip/rar/truecrypt.
Physical transportation of the file by a bonded company or employee

Security and ease of access are mutually exclusive, the more you increase one the more the other is reduced.

Commented:
As a start, I would take the steps I mentioned in my 2nd thru 5th posts.

This will be a "low tech" (and free) step for management to see that the situation is improved and you are working on further tightening things up.
Top Expert 2012
Commented:
Despite the discussion on weather or not this is a training issue

To answer your question, accidentally sending an email to trh wrong recipient can be combated with an Simple Macro that will display a warning before sending an email

The one in the link below is for Warning a User they have a blank Subject
But it can be modified to Warn the User to check they have Entered the correct Recipient.

http://www.slipstick.com/outlook/email/macro-to-warn-before-sending-a-message-with-a-blank-subject/

No, if they click through it and it still goes to the wrong recipient, theres not much you can do...

Alternativley, As mentioned above there are MANY ways to encrypt the message on the sender end and recipients end

Just depends on what your budget is.
You can spend $ for a simple encryption tool, up to $$$$$ for a complete end point security  Enterprise Solution

Slipstick is a good resource for them.

If this sounds a bit of you, have a look at whats available, as you will need a solution that fits your enviroment as well as your budget

http://www.slipstick.com/addins/security-addins/message-security-and-classification-tools

http://www.slipstick.com/addins/security-addins/encryption-and-message-security-tools/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial