Curb the Cyber Threat

• There are two types of businesses: those that have been electronically attacked and those that have yet to be attacked. Determined attacks on most companies have been successful.
• The cybersecurity threat comes not only from criminals, hackers and terrorists, but also from well-organized, sophisticated and well-funded state actors.
• These state or state enterprise actors do not share Western values. They believe that foreign laws do not apply to them. The consider themselves simply doing legitimate “market intelligence.”
• Companies are forced to wage cyber-combat with foreign states every day.
• Rather than building a perimeter defence to keep bad actors totally out, many companies are now moving in the direction of only isolating the company's most valuable assets. These companies have determined that it is not possible to protect all information in the company.
• Security is a balance – 100 per cent security and 100 per cent corporate functionality at the same time is not possible.
• The terrorist cyber threat is different. Unlike state actors, terrorists are looking to break an economy, not simply to bend it.
• There are two types of businesses: those that have been electronically attacked and those that have yet to be attacked. Determined attacks on most companies have been successful.
• The cybersecurity threat comes not only from criminals, hackers and terrorists, but also from well-organized, sophisticated and well-funded state actors.
• These state or state enterprise actors do not share Western values. They believe that foreign laws do not apply to them. The consider themselves simply doing legitimate “market intelligence.”
• Companies are forced to wage cyber-combat with foreign states every day.
• Rather than building a perimeter defence to keep bad actors totally out, many companies are now moving in the direction of only isolating the company's most valuable assets. These companies have determined that it is not possible to protect all information in the company.
• Security is a balance – 100 per cent security and 100 per cent corporate functionality at the same time is not possible.
  

Email is a Postcard

• Just like a postcard, an email passes through many hands. However, an email can live forever and be searchable forever while a postcard can be easily discarded destroyed. Email is much less secure.
• Very few people understand how email works. Emailing is not akin to accessing a website whereby information flows directly from the website to your computer.
• Email does not go directly from one person to another. The average email is fully stored and searchable on an average of about six computers, sometimes more: your own computer, your company’s email computer, your company’s Internet service provider’s computer, the email destination user’s Internet service provider’s computer, the email destination user’s company’s computer, and the destination user’s computer.
• No permission is needed to access email. Government authorities can obtain legal authorization to access your email from any of the six or more computers.
• Clever youngsters can deploy readily available and simple-to-install email “sniffers” that can access any email.
• Someone in a company’s IT department can find out more about what is going on at the company than the CEO. The penalty for snooping on a colleague’s emails, if detected, is, at most, dismissal. Companies rarely involve the police in such misdemeanors. The full extent of email snooping is, therefore, unknown.
• Then there are outside hackers whose motivation may include financial gain, industrial espionage, government intelligence, personal animosity or simply the challenge of doing something difficult. 
• The information on computers is fully accessible via passwords. People write their passwords down and leave them easily accessible, perhaps even on a sticky note attached to a computer screen. The same passwords are used over and over and can fairly easily be accessed by hackers who can go through millions of possibilities in a short time.
• People will reveal their password to colleagues -- or to those purporting to be colleagues, often by telephone. There are still scams initiated overseas by scoundrels pretending to be from the IT department who need your password to “fix a virus.” To make matters worse, hackers can use an email sniffer, which copies email while the email is in transit between computers.
• Computer storage used to be limited, and, therefore, email was only kept for a relatively short time before being discarded and overwritten by new email. However, now, storage is so cheap and abundant that many companies keep all emails for years, perhaps forever. The storage space on personal computers is so large that even if you purposely “delete” all your “send and received” emails, they may not be fully overwritten for years. Deleting an email or a file does not generally remove the document – it is like whiting out a chapter name in a book’s table of contents, the chapter is no longer listed, but it is still is there.
• Anyone who gains access to a vast store of emails can easily search through them to find the information that interests them.
• That your emails reside on so many computers is one reason for concern. Another more important reason is that they can remain there for years. Most companies back up their email computers regularly. Often those backups are maintained for many years. If they are not actively destroyed, they live on forever.

Time to raise the privacy and security bar

• The newspaper headlines scream about data breaches at major companies such as Sony, Target and Home Depot. Thanks to Edward Snowden, we now know that the NSA is reading the information that we send over the Internet. Because of this publicity, everyone is becoming more educated about electronic security and privacy. As a result, electronically disseminating and storing information is now going to come under greater scrutiny. Furthermore, electronic privacy laws are getting much tougher. This is evidenced by the introduction of mandatory data breach notification and significant fines for non-compliance.
• Popular tools that many use to share files with clients are file sharing services. The privacy bar on these must be raised. We need to become proactive in establishing basic criteria to evaluate the security of file sharing service technology providers to ensure that confidential information is being safeguarded.
• Has the provider ever suffered a data breach?
• Does the provider have a “backdoor” for government agencies or others, including rogue internal employees of the provider who can unlock the sensitive data you have stored on their computers?
• Does the provider mandate that every user is authenticated before accessing their service?
• Is the provider American?
• A company based in the USA is subject to the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the USA PATRIOT Act). Accordingly, the United States Government can obtain access to any data stored on their computers, independent of where the company geographically locates its computer servers.
• What is the provider’s data retention policy?
• Backups of data mean that when you delete your data they are not 100% deleted as the data remain on the backup. Does the provider’s policy state that data will be deleted when you delete your account or when you delete a file? Non-deletion or deletion delay provides opportunities for a hacker to access your data. Instant deletion by the provider – when you specify it – is much to be preferred.
• Has the provider had their security considerations reviewed by an independent expert?
• Changing to a technology provider that emphasizes security will send a strong message that you care about electronic privacy and have taken steps to prevent a data breach.
  

The Myth of "Email Recall"

• Have you ever sent an email to someone outside your organization, and wished you could ‘recall’ it?
• Email has been popular since the mid-1990s. Despite the hundreds of thousands of Google hits to the phrase, “email is dead,” the medium continues to be a corporate necessity (Twitter and Facebook never killed email, nor will their social media progeny).
• There are now many guidebooks and corporate policies about how to use email safely and efficiently. However, we still all make blundering, sometimes job-terminating, mistakes.
• You will be familiar with the errors of the early days of email: remember that unblinded copy of confidential email addresses, and then someone (maybe you) hitting the ‘reply all’ button rather than ‘reply’? Or, more recently, clicking on a ‘phishing’ link in a suspicious-looking email with the subject line: “hot stock tip”?
• But there is one email myth that persists – the myth of the “email recall”.
• Internally, within many organizations – and only within those organizations that have a specific type of email software installed on all their computers – is email recall even possible. In these rare situations, if you send a sensitive email to the wrong person inside your company, you can, indeed, ‘recall’ it.
• Also, even if you have successfully recalled the email, the recipient is clearly informed that you have recalled a message sent to them. Further, as with almost all electronic records, a trail of the recalled email may live in perpetuity such that the organization’s Information Technology department can recover it and use it to reprimand you for the mistake.
• What happens once the email has fled the computers of your organization, or ‘left the building’? It is gone, irrevocable, and it is not coming back no matter how much you tap on that ‘recall’ feature. Sometimes hitting ‘recall’ can make things worse. Why so? It may encourage people to read an email they would otherwise have passed over. Amid a deluge of spam and long corporate email strings all marked ‘urgent’, the subject line with the word, ‘recall’, will be the one opened first.
• What can you do about your email mistake?
• First, for sensitive communications, you can avoid email altogether. Telephones still exist. And no democratic government snoops on telephone calls without legal justification (despite what conspiracy theorists might tell you).
• Where phone calls are not practical, you can use a secure cloud-based email service that has a recall feature, where the word recall actually means ‘recall’. You can ask the service provider to show you a series of demonstrations to prove it.
• Unless you do the above, the best that you can do is to pick up the telephone and try to immediately reach the inadvertent recipient(s) and ask them to delete the offending email without reading it. Most will do so if they say they will. If you have sent the email to too many people or cannot immediately get hold of the recipients, try a polite and short email along the lines of:

​

      Re: My email mess-up. Please help me.

​

      I messed up. Please delete, without reading, the email that I just accidentally sent to you.

​

      Thank you.

​

• Most people will just delete both emails and not reply. Others will reply courteously: “Don’t worry, I just deleted it.” Some will also send back a joke or recount how this once happened to them.
• In the corporate world, people have always been judged by how they handle mistakes and recover from them, more than by the mistakes themselves – as long as they are not repeated.