Publishing your email address isn't a security disaster
Posted on 30 Apr 2012 at 11:25
Davey Winder says businesses have no good reason to hide their email addresses online
Every now and then, some well-meaning but completely bonkers advice comes my way from a most unlikely source.
I wasn’t too amazed when an elderly relative of mine expressed surprise that his PC was heavily infected despite the installation of internet security software years ago. It didn’t particularly faze me to discover a man who thought he knew everything there was to know about computers, but who didn’t realise that you have to pay your annual subscription fee to continue receiving threat protection database updates.
I was fazed, though, when an IT security vendor seemed to be suggesting that a business that publicly reveals its email address is somehow compromising data security and putting itself at risk. I understand that risk is relative, and an exposed business email address creates a corporate data security risk – from social engineers, phishers, hackers and cybercriminals – than if no such email contact points were disclosed.
The cherry on top of this farrago of nonsense was the advice to employers to discourage staff from sharing email addresses on Twitter
However, I also understand that the dictionary definition of an address is a place where a person or organisation can be found or communicated with, and that’s just as true of a street or an email address. The point of having a business email address is to enable people, including potential as well as existing customers, to get in touch with you, and there’s no point having one at all if you don’t let anyone know what it is.
So what on Earth were the folk over at the Websense Security Labs on about when they informed me that “thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter”, and which went on to argue that because those addresses are “connected with their inboxes, social media identities and bank accounts”, it leaves these business users exposed to the potential for “advanced social spear phishing attacks”. The cherry on top of this farrago of nonsense was the advice to employers to “re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter”.
To be honest, I think that in this particular case the security vendor was well intentioned, but perhaps got a little carried away while preparing its email security risk message. Yes, indeed, there are people out there with bad intentions, who target business users on social networks in order to infiltrate their systems using an old social-engineering strategy known colloquially among security types as “spear phishing”. It’s so called because such an attack is focused upon an individual within a specific department, rather than adopting a scattergun approach to the problem of how to get a RAT (remote access trojan) or similar piece of malware installed within the corporate network security perimeter.
By concentrating upon a vulnerable individual, especially one who is active on Twitter or Facebook, it’s possible to build up an accurate profile of that person both personally and, most importantly, professionally. Assuming the targeted person hasn’t opted to make their information available to only friends, for example, it’s all too easy to quickly scan through their friends list and, after putting in a bit of graft, compile a dossier of work colleagues and customers.
Link this information to conversations posted to the target’s wall on Facebook, and that previously mentioned business email address, and the bad guys have the ammunition required to impersonate someone already known to that employee. Exploiting this basis of trust allows the attackers to then attach an “important document” or a link to something they may be interested in, and by so doing solicit the vital click that installs malware.
So, yes, I can see where the Websense chaps were coming from, but I’m afraid that it all sounds a little bit too Chicken Little for me. The sky will not fall in if you post your business email address on Facebook, and acceptable use policies shouldn’t be altered to make doing so a hanging offence. Especially since it’s oh-so-easy to guess specific email addresses, given the standard address format used by just about every company, which is going to use one of only two or three formats.
Tracking down which is used is only a matter of visiting the company’s website and taking a quick look at the “about us” page, or the list of contact options for the directors or sales executives.
You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.
I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.
By Pantagoon on 30 Apr 2012
Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.
But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.
It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.
Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.
It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.
And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.
You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."
By koshthetrekkie on 30 Apr 2012
By Jodys on 1 May 2012
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday
- Microsoft to block old ActiveX controls in security push
- Samsung and Apple call off all legal disputes, except in the US
- Microsoft ordered to hand over European data
- Will the next Windows 8.1 update arrive next month?