• United States




How is your email security hygiene?

Sep 28, 20174 mins
Cloud SecurityData and Information SecurityEmail Clients

With the ongoing hacks of major corporations, many employees still don’t understand that when writing an email, there are security and hygiene issues that need to be considered before they hit the send button.

email cloud
Credit: Thinkstock

With the recent news of the Deloitte internal email systems breach, maybe it’s time to reassess how we craft our emails.

Gone are the days of having a strong comfort level that your TLS connections to other firms would protect your messages from being read by unauthorized individuals. Unless your messages always remain encrypted, you now must consider a worst-case scenario where your emails may be accessed illegally by a hacker or unauthorized insider.

As an adjunct professor at Rutgers University on cybersecurity, I tell my students that hackers look for the path of least resistance. If they can use an exploit to get into systems, they will use that method; as opposed to for example, trying to brute force their way into a victim network. Getting access to a messaging server usually provides a wealth of information which can be used for further attacks including spear phishing.

Employees at most organizations are told they must use only company email systems for company business since they are protected. Once these systems are breached, it may no longer serve as a secure method of doing business until they are re-secured.

I vividly remember when the HBGary email hack occurred in 2011. I had been discussing some work with one of their salespeople and asked my staff to follow up. When Anonymous announced that they had hacked the email server and were going to release all the emails, the first thing that came into my mind was what information had we put in those emails which was confidential and protected by our NDA. What would this mean to my career if senior management was livid even though we shared only information needed to do business with them. Finally, I wondered if there were any comments that would reflect badly on any of my staff or company.

As luck would have it, very few emails that were released by Anonymous contained information about my company since we were only in the initial stages of looking at their service.

Needless to say, it was a scary moment which made me search my memory banks and recall any emails I may have sent out from my corporate or even personal email account that would reflect badly on me or my company at the time.

From that point on I decided that I needed to review my emails for more than the basic security items we usually look for. I also decided that if I needed to discuss an issue with an employee that may not be taken the same way as a conversation (same can be said about texting), I would make sure to either address it in person or over the phone. Information that I needed to document and needed to be sent in an email would be sent that way but just the minimal facts would be included.

After that incident, I put together a list of what I needed to review before I sent out an email. Here are some of the things I check for and I’m sure there are more you may think of in your organization.

  1. Always review an email as though it might be read by someone other than the intended recipient. This could be a co-worker of the recipient or an unauthorized person. In a worst-case scenario, it could be a prosecutor who could also misinterpret your message.
  2. Make sure that if you are including any company confidential information, it is protected according to your organizations Data Classification standards
  3. Make sure not to criticize people in your email, act as though that person is standing in front of you. If you must say something that is critical about someone it is probably better to pick up the phone and call the intended email recipient and explain it to them
  4. Make sure that your email is addressed to the correct people before you hit send and if you have additional safeguards within your organization you use them
  5. When you Bcc someone on a confidential email, don’t expect them to know not to forward it to someone else unless you tell them in advance. A better solution is to send the initial email with a note not to send to anyone who is not included on the recipient list and then forward a copy to that person that you would have otherwise Bcc’d
  6. Finally, before hitting send, think if there would be any ramifications for you, your co-workers or your organization if this email was published on the internet for all to see.

While these tips are not fool proof, it is a good start towards risk reduction, practicing good security and email hygiene.


Mitch Zahler has served on the Executive Threat Intelligence Committee for the FS/ISAC (Financial Services Information Sharing and Analysis Center) as well as continuing to serve other security and fraud advisory boards. He is a Certified Information Security Manager and certified in Risk and Information Systems Controls.

Mitch is currently Chief Information Security Officer at Proactive Cyber Security, which focuses on SMB security and has previously worked for global organizations such as HSBC Bank, Republic National Bank, American Express, Bear Sterns and Deloitte.

With more than 20 years of experience in the Information Security and Risk field Mitch’s breadth of knowledge crosses numerous disciplines including global security incident response, security architecture and design, data loss prevention, fraud, cyber forensics and incident management.

Mitch is an innovative strategic, entrepreneurial & tactical information security risk executive with a proven record of leading international teams as well as a trusted adviser to senior stakeholders.

Over the past few years he has begun taking more of an interest in the lack of effective security and risk programs in small- and medium-sized businesses as they become more of a target for security and regulatory compliance and fraud issues.

Mitch is also an Adjunct Professor teaching students Information Security at Rutgers University.

The opinions expressed in this blog are those of Mitch Zahler and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.