Avatar of Pau Lo
Pau Lo
 asked on

Safeguards for sending email to the wrong person

We have had a couple of issues whereby users (due to outlooks auto name feature – no idea what the technical term is but in the to field there if you enter S, for example it then pre-populates people you have emailed before whose surnames begin with S) have mistakenly sent data to the wrong people. Fortunately this has as yet not been sensitive data but does appear to be a disaster waiting to happen.

Our managers are keen to incorporate any attachments with sensitive data to have password protection on them which must be communicated to the other party via another means, i.e. phone call. I am aware of the limitations in terms of say a docx password as they seem easy to crack.

But what other solutions are there that are idiot proof? I.e. to safeguard you the company from someone naively sending the email to the wrong person? What can be done to address this issue? Anything built into outlook/exchange that can help, or additional tools. Someone mentioned digital certs but I cant see how that helps, I just see that as encrypted to prevent interception? Whereas in this case interception isn’t the worry its sending to the wrong person, who will just get it plain text in their inbox?

Please keep answers low tech management freindly.
SecurityExchangeOutlook

Avatar of undefined
Last Comment
apache09

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Tom Scott

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pau Lo

ASKER
I wasnt sure if there was any technical solution whereby the recipient needs to do something to open the data they receive via email. Hence the idea behind passwords on the attachments, not fallproof but probably better than nothing? I dont know enough about the tools like PGP aside from they encrypt the data and prove the emails integrity, wasnt sure if any features in tools such as PGP could assist .....
Tom Scott

PGP and similar tools usually key on the recipient.  That is, if one encrypts a message, and any associated payload, the resulting message is decryption is specific to the recipient.

Further restated, the recipient would have their own key and just because the sender mistakenly selected the recipient, the software "does not know that" and the recipient's personal decryption key will work just fine.

There are a number of technical tactics that can be used, but once folks get used to a certain set of technical/procedural steps, they start to fly on autopilot.  To some extent the more complex the task put in front of a user, the more likely they will rush through it and make mistakes including sending sensitive information to the wrong destination or destinations.

FIRST and FOREMOST, this is a training and management issue.  Automation has its place, but it never replaces good training, consistent accountability AND managerial consistency ("spine").

Soap Box Warning:
Sorry to put a fine edge on it, but...  Time and again I come across managers and managerial groups that want to replace training, accountability and sound management practices with automation.  The recurring motivation seems to be a desire to avoid the discomfort of forcing someone to do their job through "positive and negative reinforcement".  Everybody wants to be liked and managers are no different.  However, they, their staff and company lose efficiency and may just plain fail as a result.  Further, the end result is nobody is happy in the long run.  This is key because after a while employees start to rebel against being treated like spoiled children, often paying even less attention to detail.

 - Tom
Pau Lo

ASKER
I agree with you Tom I really do, but out of interest:

>>There are a number of technical tactics that can be used,

I would like to hear about these if you are willing to share?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
SeaSenor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pau Lo

ASKER
I agree with you both but the question was to explore any technical solutions that can assist which tom has hinted at above....
SeaSenor

Here is a link with some methods to clear the cache.

it is not completely automated, however, with a couple of the methods, you might be able to script a solution.... especially Outlook 2010, but maybe even 2007.


http://support.microsoft.com/?kbid=287623
SeaSenor

Easier to just disable it altogether though.

In outlook 2007 and 2003
click Tools,  email options, advanced email options,
then, clear the Suggest names while completing To, Cc, and Bcc fields check box.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SeaSenor

In Outlook 2010,
Click the File menu and Select Options.
In the Outlook Options window Click the Mail tab.
Scroll down roughly halfway until you see Send messages. Uncheck the Use Auto-Complete List to suggest names when typing in the To, Cc, and Bcc lines box.

Optional: To clear out the Auto-Complete list, simply Click the Empty Auto-Complete List button.
SeaSenor

You can do this with group policy I believe, but may have to add some .adm or .admx file

with many users, probably worth the effort.
SeaSenor

Here is a link for encrypting messages if you'd like to pursue that option.


http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SeaSenor

I have a Barracuda spam firewall. It has some capability for encrypting messages.
Could be an option for you....


http://www.barracudanetworks.com/ns/news_and_events/index.php?nid=53
SeaSenor

and lastly, here is information for using Exchange 2010.

it has promise, but comes with some set up effort.


http://technet.microsoft.com/en-us/library/dd638140

http://technet.microsoft.com/en-us/library/dd351212.aspx
SeaSenor

Are these the suggestions/solutions you are looking for?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pau Lo

ASKER
>Use public key encryption to encrypt all attachments. Symantec Endpoint Protection/Pretty Good Privacy



Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?
Pau Lo

ASKER
>Set up security controls so that sensitive files cannot be emailed or otherwise copied

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?
David Johnson, CD

Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?

All attachments are encrypted, with the receivers public key and your private key, the receiver must have a copy of your public key and use their private key to decrypt the file. This proves that it was sent by you and also that it is being recieved by the legitimate recipient.

The problem that I can see here is if Supplier A, and Supplier B are legitimate recipients and the keys are shared and a document meant for Supplier B is sent to Supplier A it will be encrypted with Supplier A's keys and can be decrypted.

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?

The only person that can access the file is an employee that requires access to the file in order to perform their job, and with a DRM policy only managers or specifically designated employees can email the file
Encrypting the files and selective dissemination of the passwords using zip/rar/truecrypt.
Physical transportation of the file by a bonded company or employee

Security and ease of access are mutually exclusive, the more you increase one the more the other is reduced.
Your help has saved me hundreds of hours of internet surfing.
fblack61
SeaSenor

As a start, I would take the steps I mentioned in my 2nd thru 5th posts.

This will be a "low tech" (and free) step for management to see that the situation is improved and you are working on further tightening things up.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.