Re: How does your org communicate through email?

ericgeater · ‎03-20-2024

This question pertains to the risks of email safety. How does your org communicate new information to all employees, safely and responsibly? If an all-user email is sent, it can communicate in several ways:

1. The email contains all the information, or
2. The email might include a link to "read more about...", or
3. It can instruct people to visit a corporate news page.

For #1, there are times when the email cannot be the entirety of what must be communicated.

For #2, Security Awareness Training teaches us that links should not be trusted.

For #3, there's equally a valid concern that employees may misuse their browsers in an attempt to locate the corporate communication page.

So how does your org create effective, safe internal communication?

-----------
A claim is as good as its veracity.

Caute_cautim · ‎03-20-2024

@ericgeater Hi Eric, well my own uses e-mail, but splits into two categories, internal and external. External always contains a message or button indicating it came from an external source, and may not be trusted. If you suspect it is suspicious hit this button etc - which then branches off to corporate security to investigate etc.

Internal links are normally associated with training links, or blogs internally created etc.

Often e-mail is not actually, used - internal messaging systems are used i.e. Slack for instance. Which can provide immediate communications, huddles etc and leaves a message.

If they really want you they will use a conferencing system and bring you to a meeting etc.

In terms of security awareness, there is always mandated annual training for all, no one can bypass this.

Regards

Caute_Cautim

denbesten · ‎03-20-2024

We source a daily email to all account holders from a well-known internal email address. Each "article" includes a summary in the email and a link to our internal company web server, which uses SSO to generally avoid an authentication prompt and so the webserver does not have the opportunity to harvest creds. The web server also features a copy of the email (but less abbreviated), so users can always read from their browser if they become suspicious.

We also have configured our email environment to "flag" external emails and to disallow anyone to send us a message that appears to have been "from" our domain, but did not originate from our email server (this p*sses off some SAAS providers because they must use a separate domain (e.g. support@support.contoso.com instead of our corporate domain - support@contoso.com ).

Awareness training should not be to "not trust links", but rather to not blindly trust them and to share a few strategies for measuring trustworthiness. Part of that is training internal communications to not do suspicious things (e.g. external links in email) and part is training users that the links should align with the sender of the email and one's expectatons. Another part is training users to only enter their AD credentials on the company SSO page.

Steve-Wilme · ‎03-21-2024

We've implemented SPF, DKIM, DMARC and BIMI for external email.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

JoePete · ‎03-22-2024

@ericgeater wrote:
How does your org communicate through email?

Very poorly 🙂

I have a hand in a couple of different organizations still, and I have to say this is a wall that has been bloodied by my forehead over the years.

One of them sends all email through a web-based interface to a third party provider, who itself, uses SendGrid. As such, all links get rewritten to enable tracking etc. even though doing spawns phishing warnings on everyone's mail client.

Another uses GMail. True story, the new CEO (a self professed "tech guy") recently did the prototypical "reply all" faux pas, where he criticized a member of senior management. I'm glad to have nine toes out the door with these folks, but it shows the issue is not the tool being used but the tool using it.

By policy, I am opposed to HTML email. I acknowledge there may be some limited, internal cases, but I do believe the path to true email enlightenment lies in plaintext.

Along those lines, I'm not worried about links in an email if someone is reading in plaintext (so that the URL is clear) and they are using a real email client (not something that will automatically execute code or launch an application). I realize that is a different kettle of fish (or phish?) but content is the minor half of the problem. It is what your client (and your OS) does with it.

As I have said though, after 30 years or so of trying, I have had very little success in getting people to give up their HTML or adopt good email clients. In that regard, I am a case study in what doesn't work than what does.

Steve-Wilme · ‎03-25-2024

Plain text email is very underrated.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

ericgeater · ‎03-25-2024

don't get me started on people who reply in emojis, either, @Steve-Wilme.

A friend who trains clergy has said in the past, "Speakers are responsible not only for what they say, but for what people hear. It's the speaker's job to make sure people hear what the speaker wants them to hear. You can't blame the listeners for hearing you wrong."

I think about that a lot. Which means I try to couple that idea with the often-attributed quote by Albert Einstein about effective communication: "If you can't explain it simply then you don't understand it well enough."

And that's why I wanted to ask about this topic. Any org with an en masse internal communication strategy should:

deliver a succinct message
include a repeatable, familiar method to learn more about the subject
bring no risk, confusion or harm to the organization

-----------
A claim is as good as its veracity.

JoePete · ‎03-25-2024

@ericgeater wrote:
You can't blame the listeners for hearing you wrong.

I think there is a lot of wisdom to this, but I also think leadership (board and management) sometimes worries so much about how to say something that they simply choose not to say it. Absent information, people fill in the blanks. However, leadership sometimes thinks that if it says nothing, then it won't be a story. Or at most, all it needs to do is put out a press release or some notice. Communication is a two-way street. Dialog is the crux of communication. By listening, processing, and responding, you have that ability control how the other side hears your message. Very rarely does that message completely land as intended on the entirety of its audience on the first try. You need that dialog and follow-up.

While this moves us slightly off topic, to bring it back to security, so much of our job does get to communication. I think of the John Podesta phishing. He received a suspicious email and (supposedly) reached out to the "IT guy" who responded that it appeared "legitimate," erroneously omitting the "il" in front of the word. Why didn't Podesta just walk down the hall? Why didn't the other guy say "It's a scam!" etc. Good security relies on good communication.

Steve-Wilme · ‎03-26-2024

@ericgeater Funny you should say that. I write a lot of my emails in notepad, then think about if they are clear, say only what they need to and are likely to get the result required. I might send them later, but often I don't and just delete the notepad file. Often saying nothing at all is just as equally effective.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS