It's fairly standard practice to limit your internal distribution groups to only accept mail from internal users. However, I'm curious what standards others have in place with regards to adding external addresses as members of an internal distribution group?
We have clients (some who are competitors) and there is concern that an internal user messaging a distribution group may not realize that message is going outside the organization. I think that's a reasonable concern and a user wishing to send an email should affirmatively select the external address (in addition to the internal group) if desired.
What do you do? And have you had challenges or push-back from users for your policies?
I think if it has external users added to it, it isn't an internal distribution group anymore, and should be marked as such. Perhaps the internal distro should be BCC to protect it form casual viewing.
Usual pushback on email is 'it's too hard...' Well, If the message shouldn't go outside, well it shouldn't go outside and anyone who can't understand that probably shouldn't be allowed to have email.
Of course mistakes happen... Moreover, others mistakes can help with push back:
'The email was sent from Sir Jon's secretary to four senior executives at the Bank - Iain de Weymarn, Governor Mark Carney's private secretary; Nicola Anderson, head of risk assessment in the financial stability department; Phil Evans, director of the international division; and Jenny Scott, executive director communications. However, it was also accidentally forwarded to an editor at The Guardian...
...Jon’s proposal, which he has asked me to highlight to you, is that no email is sent to James’s team or more broadly around the Bank about the project.
“James can tell his team that he is working on a short-term project on European economics in International [division] which will last a couple of months. This will be in-depth work on a broad range of European economic issues. Ideally he would then say no more.”
Technologies like DLP, DRM, tagging, encryption probably all have a part to play on top of the common sense approach, and can provide safety rails, but nothing beats thinking about what you send.
@kesmit wrote:
We have clients (some who are competitors) and there is concern that an internal user messaging a distribution group may not realize that message is going outside the organization.
But you can also have a similar problem with internal users. Someone sending sensitive info to a wider group than intended/necessary. Also, while on one hand forcing someone to select the external user makes it a more conscious step, you now have to worry that they will select the wrong external user. At least if the external user is part of the group, no one has to remember/type his or her address. The other thing to be concerned about is that distribution groups sometimes more into security groups over time. I'd lean toward no external addresses primarily for that reason.
@Early_Adopter wrote:
Technologies like DLP, DRM, tagging, encryption probably all have a part to play on top of the common sense approach, and can provide safety rails, but nothing beats thinking about what you send.
Yes, bottom line is this is a user behavior/security awareness issue. Even with things like DRM and encryption, users will do careless things - forward something unencrypted or screenshot it in the case of DRM.