Information Security Tips from Westfield Insurance

Back by popular demand, this "encore tip" is a reminder to be especially professional in your email communications. Please share this seasonal message with your co-workers. (This Tip was first run in October 2006.)

Halloween is a time for scary stories - tales of vampires and ghouls rising from the dead to terrify innocents - a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard - anyone can read it while it's in transit^† and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer's "real state of mind"). They will not believe that you were "just joking" and won't care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow's newspaper.

Remember, email can come back to haunt you.

^† Footnote: The comment that "anyone can read [your email] while it's in transit" is less true if you have email encryption with your business partners but your words can still be saved, forwarded or otherwise sent outside your control. Please don't assume that email encryption will protect you from sloppy wording.

If you have your own datacenter and have a dedicated IT staff that runs your own email system, you can skip this week's Tip. If you use webmail (such as Gmail, Hotmail or Yahoo mail) or if you use an email service (such as XO Communications or AppRiver), you are using hosted mail (that is, someone other than your own IT people has a copy of your email on their servers and manages your email for you) and you may need to think about how to keep your emails safe between your computer and the host.

Hosted mail can be a very useful service. It lets individuals and small companies buy top-quality email services without needing a full data center and 24 hour support staff. (Personal webmail accounts can also be useful for keeping personal and professional messages separate. See the 27 Jan 2007 Tip for more.)

However, hosted email adds a layer of complexity to your security arrangements. When your email system is completely in-house, you can trust your perimeter defenses to protect messages from one employee to another even if the message itself is not encrypted. When you use hosted email, the message is leaving your perimeter before it gets back to your co-worker. Since standard email is not encrypted, that message could be intercepted and read by basically anyone during that period while it's outside your perimeter.

The same applies when emailing outsiders. More and more companies are implementing secure email in order to protect messages with confidential content. Many of those systems use Transport Layer Security (TLS) which scrambles the message while it's moving from the sender's email system to the recipient's email server but does not protect the message between the recipient's email server and his/her desktop. That leg is a responsibility of the recipient.

While it is dangerous to generalize from just a few examples, all the email services that I've talked to have some way to secure that last mile from their email server to your desktop. XO Communications, for example, has detailed instructions on their webpage explaining the settings and port numbers that you have to set up on each desktop in order to connect to them securely. AppRiver has instructions for how to use the capabilities built into MS Outlook to protect the connection.

Unfortunately, the connection for the users of webmail is harder to make secure. Gmail claims on their website that encryption is available but a number of requests for help on their discussion groups have gone unanswered. Yahoo has yet to return our request for information.

If you can set up that last mile securely, you need to do so. If you can't, be very sure that you do not use email to send or receive any confidential information such as SSNs or Drivers License numbers.

This article was originally published in the Jul/Aug 2007 edition of The Agent Newsline, a publication of Westfield Insurance.

Are personal e-mail accounts acceptable for work? What are the advantages and disadvantages to your agency? The lines between personal and professional life often become increasingly blurring. One of the advantages of allowing personal use can be that a few minutes to check e-mail during a lunch break can help staff feel connected and productive for the rest of the day.

Keeping personal e-mail accounts separate from work e-mail accounts can have some real advantages for your agency.

• First, it helps to keep business and personal issues separate. Work is completed on the employee's official e-mail account, and they can talk to family and do their Internet shopping via the personal account.
• Second, it keeps a lot of the spam messages out of your agency e-mail box. Spammers can find you in lots of different ways but some of the most common involve scanning internet chats and shopping sites for e-mail addresses. If you use a work e-mail address and the spammers find you, they can rapidly invest the account - and you can't easily change it because that's were customers expect to find you. In addition, if you use one of the free web-based services like Hotmail or Yahoo and the spam gets too bad, you can always abandon the account and open a new account.
• Third, if set up correctly, it's portable. When you're no longer an active employee, you will lose the companyprovided e-mail address. A personal address provides continuity during your transition. If you use one of the web-based services, you're not even dependent on your personal Internet service provider.

Here are a few things to keep in mind.

• A good rule of thumb to follow is to not allow use of a personal e-mail account for work-related communication. Customers and coworkers expect us to communicate through a consistent channel. In these days of spam and e-mail spoofing, messages from any address other than your regular domain will be met with justifiable suspicion.
• Make sure that you tell employees that you retain the right to monitor personal e-mail if they check it on a work computer. Employees have no right to an expectation of privacy in anything they do on a work computer or system.
• Remind them that if they're on your work computer, all the normal rules about professionalism and appropriate use still apply, even though it's their "personal" account.

All sorts of problems come with an e-mail box that gets too large. Bloated e-mail boxes are a technological and administrative headache. Self-discipline over the size of files that we store or that we attach to e-mail is part of good discipline and e-mail courtesy.

One technique for controlling the size of files is to use lower-resolution graphics wherever possible. For most uses, the lower resolution version looks the same on the page even though it takes one-tenth or even one-hundredth the space. Your communications team should have low-resolution versions of all your logos and graphics. These should be used for all e-mails and internal documents such as meeting minutes and presentations. Make sure your staff know where to find the approved versions of all your official graphics.

A second technique is to scrupulously avoid attaching unnecessary graphics to your e-mail in the first place. Graphics in your signature block are specifically discouraged. While some people think that they add a "personal" feel to the message, they go out on every e-mail, bloating both your and your readers' e-mail boxes. Furthermore, they often fail to display correctly, especially if the message recipient uses a different e-mail program than you do, and frequently cause the message to get trapped in the recipient's spam or virus filters. Keep graphics to an absolute minimum in e-mail.

Many people keep a personal email account separate from their work email address. I recommend this practice for several reasons.

First, it helps to keep business and personal issues separate.

Second, it keeps a lot of the spam messages out of your work email box. If you use one of the free web-based services like Hotmail or Yahoo, you can abandon the account and open a new account when the spam gets too bad. If the spammers infest your work account, you're stuck.

Third, if you set it up right, it's portable. Few people are lucky enough to work at one company for their entire career and all of us hope to retire someday. When you're no longer an active employee, you lose the company-provided email address. A personal address provides continuity during your transition. If you use one of the free web-based services, you're not even dependent on your personal Internet Service Provider. You can switch from AOL to RoadRunner and back without ever making your family and friends change their address books.

There are a few things you should remember about your personal email account, though.

• Never use your personal email account for work. Customers and coworkers expect us to communicate through a consistent channel. In these days of spam and email spoofing, messages from any address other than your official work address will be met with justifiable suspicion.
• In almost all situations, your company does have the right to monitor your personal email if you check it on a work computer (and in some situations, is obligated to do so). If you're on your work computer, all the normal rules about professionalism and appropriate use still apply.

Think of e-mail as a postcard. The postcard will get to its destination, but any postman along the route can read it.

When you send an e-mail message, you are sending a text file that contains routing information - From, To, Date, Subject - and your message. When you hit "Send," the file is moved to your e-mail server and then transmitted to an Internet mail router where the file "asks directions" to the destination. The router compares the mail destination to a list of locations and sends the message to the next available router until the message finally finds the recipient’s e-mail server. While this is happening, your e-mail can be read by anyone with access to one of the servers your e-mail passed through.

The only way you can secure an e-mail message is to encrypt the body of the message. Encryption is a way of scrambling the contents on your "postcard" in a way that your recipient can decode but that no one else can figure out. Encryption has to be set up ahead of time, though. You and the recipient have to have the same "code-book" or you won’t be able to decode each other’s messages.

Unless you are using strong encryption, you should always assume that your messages can be read by an outsider, and avoid sending sensitive or confidential information in an e-mail message.

This article was originally published in the Apr/May 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

As e-mail continues to soar in popularity, be careful what you write. Working in information security, I've seen how e-mails can come back to haunt you - see the sidebar for some specific court cases. Here are some guidelines and suggestions to help you draft your next e-mail.

There is no right of privacy in e-mail

When reading e-mail, outsiders assume that e-mails are written with the same care and attention as written momoranda or that the "casual" e-mail reflects what the writer really thinks about the situation.

The new buzzword is "eDiscovery." It means that plaintiffs in court cases have the right to examine and request copies of all electronic communications to or from a person or agency. E-mail is often introduced as a key exhibit in trials on corporate misconduct. The costs incurred by companies to meet discovery requests can go into the millioins of dollars. Even if the e-mails are not directly relevant to the case at hand, discovery requests move the e-mails into the public record, which means they can be used for future lawsuits (potentially class-action) and other discovery requests.

E-mail is a formal business communication

Electronic communication, because of its speed and reach, is fundamentally different from paper-based communication. In a paper document, it is essential to make everything clear and unambiguous because your audience may not have a chance to ask for clarification. With e-mail, your recipient can ask questions immediately. Like conversational speech, e-mail tends to be sloppier than communications on paper.

We forget that e-mail does not convey emotions nearly as well as face-to-face or even telephone conversations. we assume that the context is understood. Your client may have difficulty telling if you are serious or kidding, happy or sad, frustrated or euphoric. Sarcasm, in particular, is very dangerous to use in e-mail.

The spoken word fades - e-mail is eternal

E-mail can come back to haunt you years after you sent the message. Once you hit the send button, you no longer control the messate. It cannot be called back and cannot be deleted. You can delete your copy but you can never be sure that the recipients have destroyed theirs. They can save it or forward it to anyone they want, whether you approve or not.

Remember also that electronic copies of the message can remain in archives and electronic message hubs all over the Internet - places that neither the sender nor the recipient can control. E-mail is like a postcard in that everyone watching the flow of mail can read your message.

E-mail etiquette: Rules to live by

Before you e-mail a prospective customer or existing policyholder, consider the following rules of thumb:

• Be fact-based and professional.
• Write for unintended and unforeseen readers.
• Assume that your words will be taken out of context.
• Write as if the document will never be destroyed.
• Always assume that somebody has a copy of your e-mail and that it will come out at the worst possible time and in the worst possible light.
• Never write something in an e-mail that you would not ordinarily include in a memorandum. If you would be embarrassed to discuss it with a stranger, you should probably rethink the message.

The e-mail rules listed above also apply to instant messaging and voicemails. Soem conversations are just best handled in person.

Examples of E-mail Troubles

• In American Home Products Fen-Phen litigation, lawyers found one message (among 33 million messages) from a disgruntled worker who wrote "Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?" Though the information did not relate to the company's policies, this was considered enough to sugest a pattern of behavior and contributed to a settlement of $3.75 billion.
• In the Zubulake case, when the company could not produce backup tapes containing relevant e-mails and other documents in a timely manner, the judge instructed the jury to infer that the company was hiding something, resulting in a $29 million award.
• Morgan Stanley was ordered to pay $1.4 billion in connection with a stock sale to Sunbeam because they failed to preserve e-mails for the 24 months required by the SEC, failed to disclose the presence of backup tapes, and failed to adequately search archived emails and attachments.
• In a life insurance company case, the IT department was not informed of a litigation hold and continued to destroy electronic records on its own retention schedule, resulting in a $1 million penalty and a court order to deploy a multi-million dollar records management program.