War stories: for your eyes only

There are few things that make for as amusing reading as an acceptable use policy. In some organizations that I’ve been through, it was clear that no one had ever read their unicorn-esque like policy document. Some of the components were clearly not something that could be implemented.

I have been met with the phrase “but, we have a policy” a few times. I said, “Great, can you show me who has read it?” After a long pause they said, “Well they are required to have read it.”

This is why I used to chew on Advils like they were candy. Logic flows were broken in many places along the way. In one such organization there was a need to send out emails with important information for the entire organization on a fairly consistent basis. The assumption that was made from high atop Mount Olympus was that people were inherently good and would never dream of causing the company undue harm.

I’ve never been one to harbor such delusions. While these might be warm and fuzzy ideas, they can leave an organization exposed if there are not compensating controls in place. Then, there was the mother of all emails. The CEO sent out a company wide email with important information that would affect the stock price were it to get leaked prior to publication. That was slated for the next morning.

The markets were still open. There were two hours left in the trading day and this email went out without any heads up to the security team. The reason it would have been nice to give the security team a heads up was that they were handling the egress filtering for email. This email, that should have at least waited until after market close, could have been filtered from anyone sending it outbound.

And let me tell you, people were forwarding this one. Ultimately, the markets got wind of the the contents of the email and the stock price went into a tail spin. This was grim and it was thoroughly avoidable. There was no reason why this could not have been avoided. Had the C-suite support team given a heads up then filters could have been put in place. About 15 emails made it out the door before we put in a filter. After that, the filter grabbed a few dozen more.

Proper coordination would have saved, or at least reduced the risk of, the email from leaking before the close of business. Ideally it should have been held until the end of the day. There was an agreement in principle to alert the security team prior to an email like this being issued, but the process broke down. This was a strong illustration of the need to constantly communicate throughout the business to ensure security has the visibility required.

After the stock price dumpster fire came to its logical conclusion there was a call for people to be fired. Problem was that there was no enforcement of the acceptable use policy document. Sure, it existed but HR had done nothing to ensure that anyone had read and signed it. No one got the gate that day, but there were valuable, if not costly, lessons learned.

Something as simple as an email from the C-suite can turn the world on it’s ear if it gets to the wrong people at the wrong time of day. Be sure to have solid lines of communication established throughout your business and hopefully you won’t have to live through that nightmare as well.