Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

Safeguards for sending email to the wrong person

We have had a couple of issues whereby users (due to outlooks auto name feature – no idea what the technical term is but in the to field there if you enter S, for example it then pre-populates people you have emailed before whose surnames begin with S) have mistakenly sent data to the wrong people. Fortunately this has as yet not been sensitive data but does appear to be a disaster waiting to happen.

Our managers are keen to incorporate any attachments with sensitive data to have password protection on them which must be communicated to the other party via another means, i.e. phone call. I am aware of the limitations in terms of say a docx password as they seem easy to crack.

But what other solutions are there that are idiot proof? I.e. to safeguard you the company from someone naively sending the email to the wrong person? What can be done to address this issue? Anything built into outlook/exchange that can help, or additional tools. Someone mentioned digital certs but I cant see how that helps, I just see that as encrypted to prevent interception? Whereas in this case interception isn’t the worry its sending to the wrong person, who will just get it plain text in their inbox?

Please keep answers low tech management freindly.
ASKER CERTIFIED SOLUTION
Avatar of Tom Scott
Tom Scott
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

I wasnt sure if there was any technical solution whereby the recipient needs to do something to open the data they receive via email. Hence the idea behind passwords on the attachments, not fallproof but probably better than nothing? I dont know enough about the tools like PGP aside from they encrypt the data and prove the emails integrity, wasnt sure if any features in tools such as PGP could assist .....
PGP and similar tools usually key on the recipient.  That is, if one encrypts a message, and any associated payload, the resulting message is decryption is specific to the recipient.

Further restated, the recipient would have their own key and just because the sender mistakenly selected the recipient, the software "does not know that" and the recipient's personal decryption key will work just fine.

There are a number of technical tactics that can be used, but once folks get used to a certain set of technical/procedural steps, they start to fly on autopilot.  To some extent the more complex the task put in front of a user, the more likely they will rush through it and make mistakes including sending sensitive information to the wrong destination or destinations.

FIRST and FOREMOST, this is a training and management issue.  Automation has its place, but it never replaces good training, consistent accountability AND managerial consistency ("spine").

Soap Box Warning:
Sorry to put a fine edge on it, but...  Time and again I come across managers and managerial groups that want to replace training, accountability and sound management practices with automation.  The recurring motivation seems to be a desire to avoid the discomfort of forcing someone to do their job through "positive and negative reinforcement".  Everybody wants to be liked and managers are no different.  However, they, their staff and company lose efficiency and may just plain fail as a result.  Further, the end result is nobody is happy in the long run.  This is key because after a while employees start to rebel against being treated like spoiled children, often paying even less attention to detail.

 - Tom
Avatar of Pau Lo

ASKER

I agree with you Tom I really do, but out of interest:

>>There are a number of technical tactics that can be used,

I would like to hear about these if you are willing to share?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo

ASKER

I agree with you both but the question was to explore any technical solutions that can assist which tom has hinted at above....
Here is a link with some methods to clear the cache.

it is not completely automated, however, with a couple of the methods, you might be able to script a solution.... especially Outlook 2010, but maybe even 2007.


http://support.microsoft.com/?kbid=287623
Easier to just disable it altogether though.

In outlook 2007 and 2003
click Tools,  email options, advanced email options,
then, clear the Suggest names while completing To, Cc, and Bcc fields check box.
In Outlook 2010,
Click the File menu and Select Options.
In the Outlook Options window Click the Mail tab.
Scroll down roughly halfway until you see Send messages. Uncheck the Use Auto-Complete List to suggest names when typing in the To, Cc, and Bcc lines box.

Optional: To clear out the Auto-Complete list, simply Click the Empty Auto-Complete List button.
You can do this with group policy I believe, but may have to add some .adm or .admx file

with many users, probably worth the effort.
Here is a link for encrypting messages if you'd like to pursue that option.


http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx
I have a Barracuda spam firewall. It has some capability for encrypting messages.
Could be an option for you....


http://www.barracudanetworks.com/ns/news_and_events/index.php?nid=53
and lastly, here is information for using Exchange 2010.

it has promise, but comes with some set up effort.


http://technet.microsoft.com/en-us/library/dd638140

http://technet.microsoft.com/en-us/library/dd351212.aspx
Are these the suggestions/solutions you are looking for?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo

ASKER

>Use public key encryption to encrypt all attachments. Symantec Endpoint Protection/Pretty Good Privacy



Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?
Avatar of Pau Lo

ASKER

>Set up security controls so that sensitive files cannot be emailed or otherwise copied

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?
Never used such tools but aren't they just for encrypting during transmit, ie its encrypted when sending it to the right person and encrypted when sending the wrong person?

All attachments are encrypted, with the receivers public key and your private key, the receiver must have a copy of your public key and use their private key to decrypt the file. This proves that it was sent by you and also that it is being recieved by the legitimate recipient.

The problem that I can see here is if Supplier A, and Supplier B are legitimate recipients and the keys are shared and a document meant for Supplier B is sent to Supplier A it will be encrypted with Supplier A's keys and can be decrypted.

What controls can prevent such and what if the data genuinely needs sharing externally what's a more secure way of transfer?

The only person that can access the file is an employee that requires access to the file in order to perform their job, and with a DRM policy only managers or specifically designated employees can email the file
Encrypting the files and selective dissemination of the passwords using zip/rar/truecrypt.
Physical transportation of the file by a bonded company or employee

Security and ease of access are mutually exclusive, the more you increase one the more the other is reduced.
As a start, I would take the steps I mentioned in my 2nd thru 5th posts.

This will be a "low tech" (and free) step for management to see that the situation is improved and you are working on further tightening things up.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial