And The Award For Best Email Security Awareness Film of 2007 Goes To…

I’ve been seeing a ton of articles and blog postings for the “Best Security <Whatever> of 2007,” “Worst Security Exploits of 2007,” “Security Projections for 2008” and so on in the past few weeks.
Well, I’ve got my own “Best of” award to give for 2007!
None of the best of or worst of postings or articles that I have seen have covered information security and privacy awareness, even though most information security incidents and privacy breaches occur as a result of humans…human error, lack of knowledge or malicious intent.


There certainly are many ways that awareness can be raised to help address this human security and privacy vulnerability to help mitigate and lessen these incidents and breaches.
Many awareness-raising tools are freely available, that most personnel and customers have actually seen in the movies, on the news, on TV and so on.
Information security and privacy pros just need to point out to their folks *HOW* these examples relate to their organizations and business!
So, my award for “The Best Email Security Awareness Film of 2007” goes to….<thhrrrddddddddddddd drum roll>
The “Back From Vacation” episode of “The Office” which aired on January 4, 2007.
In this episode, Michael, the office manager, was talking on the phone with a buddy of his, and while talking he wanted to quickly send a very revealing photo of him with his girlfriend during their recent vacation to Jamaica. However, in his haste he chose the email address next to his buddy’s in his email address book and accidentally sent the racey photo to all the personnel in his distribution center.
The buddy on the phone told Michael that he did not get the email, but within mere seconds the buddy on the phone says, “Oh, wait, I got it from someone else…they forwarded it to me.”
The email along with the photo ended up being widely distributed, with the photo being printed multiple times and was even made into a huge poster the folks in the distribution area hung on their wall.
There are some very good awareness raising lessons information security and privacy pros can point out to their personnel within an awareness or training event within this episode:
1) It is very easy to mistakenly send emails to unintended recipients; especially if you are in a hurry to get an email sent quickly. Everyone, even the most careful of folks, makes mistakes!
2) Once you send an email, your control over who gets it is completely gone. You basically cannot stop your recipient from forwarding your message to as many others as they want, and you will never know how many others actually received your message.
3) If you have sensitive or personal information you want to send via email, you need to encrypt it. If you do not encrypt attachments, such as the photo in this show, or the message contents themselves, then anyone who receives the message, or who is an administrator or otherwise has access for the mailservers where the email gets stored along the transmission path and final destination, will be able to see your message contents and attachments. And then they can basically do whatever they want…such as make a poster, post on the Internet, or whatever!
4) Once you send an email using most email systems, it is virtually impossible to ever get that email back and prevent the people in the TO: address line from getting it. An email “OOPS!” is not something you can “take back.” Look very, very carefully before hitting the <send> key when you are sending sensitive information within email messages.
5) One of the best ways to help guard against these types of mistakes is to strongly encrypt your message and attachments. Then, if unintended recipiants get your message, they will not be able to see anything that makes sense to them.
Using such short films and TV shows, that were not specifically created as an awareness or training film, not only makes your awareness event more interesting and entertaining, but it uses a media everyone is familiar with to get across an important point and lesson about an information security and privacy topic.
Contact NBC to get information about showing this episode to your organization.
With any movie, TV program, news show, and so on, check with the station or producer to see if there are any restrictions on showing it to your personnel using a TiVo copy or other method.
Messaging via the Internet is continuing to be used more and more to send sensitive information. Even doctors are using email and instant messaging (IM) to send and recieve from patients personal information that, even if it is not legally considered as personally identifiable information (PII) can still cause the people involved great embarrassment, or worse.
I recently discussed some of the major security issues involved with electronic messaging here and here that many otherwise talented professionals do not seem to be aware of, or poo-poo as not being concerns.
Don’t let an otherwise highly trained professional such as a doctor, lawyer, accountant, and so on, intimidate you or your personnel into sharing personal clear text images and information via electronic messages. If they try to say doing this is secure, they obviously know very little about information security, and don’t have your, or your personnel’s, best privacy and security interest in mind.

Tags: , , , , , , , , , , , , , ,

Leave a Reply

And The Award For Best Email Security Awareness Film of 2007 Goes To…

I’ve been seeing a ton of articles and blog postings for the “Best Security <Whatever> of 2007,” “Worst Security Exploits of 2007,” “Security Projections for 2008” and so on in the past few weeks.
Well, I’ve got my own “Best of” award to give for 2007!
None of the best of or worst of postings or articles that I have seen have covered information security and privacy awareness, even though most information security incidents and privacy breaches occur as a result of humans…human error, lack of knowledge or malicious intent.

Read the rest of this entry »

Tags: , , , , , , , , , , , , , ,

Leave a Reply