I think that I communicate with my colleagues almost as much via email as through verbal communications – even those I share an office with. In fact, probably about a third of the verbal communications are social interaction rather than direct business discussion. In email, however, most of the communication with my colleagues contains business information, sometimes including large attachments containing sensitive strategic plans. And unlike a verbal conversation which is lost to the ether, email endures. So, while talking about business plans outside the office where someone might overhear has some risk to the company, sending an email to the wrong recipient can be significantly more damaging. Yet, organizations are still not protecting themselves from these accidental breaches.
As a case in point I offer you this example from the National Football League (NFL). It is reported that on July 1st, the New Orleans Saints intended to send an email to the NFL head office regarding their plans to pick up a player who was just put on waivers (released) by the Cleveland Browns. The email, however, was accidentally addressed to the entire league. In other words, they broadcast their plan to all of their competition.
Player management is at the core of a professional sports team’s success – how could this happen? Well, it could have been that the staff for the Saints replied to an email from head office that had the other teams in the ‘CC’ field. Or, maybe the autocomplete email address feature made it easy for staff to accidentally select the wrong distribution list (e.g. “NFL Office” vs. “NFL Other Teams”). Either way, an email error struck the Saints just as they do other organizations more often than they should.
But with a little help from TITUS, the Saints and other organizations can prevent these errors and quash the insider threat that is the accidental email.
While TITUS is known as a data identification and classification vendor, our policy engine for preventing data leaks is very powerful and customizable. Below are a few policies I would create to help the New Orleans Saints, and the first three would not even require classification.
Policy 1: If a user is sending an email containing addresses to 10 or more of competitors, pop up an alert before the email is sent warning the user that they are sending information to the competition, so they better be sure it is appropriate to do so.
Policy 2: Similarly, and even though the email was not leaked to the press, NFL teams do correspond with the press frequently. Telling the media is as good as telling your competition. Therefore, if an email contains the address of one or more sports reporters, pop up an alert warning the user of the risks before the email is sent.
Policy 3: If the user is sending an email to press agents from the Public Relations department, do not trigger Policy 2.
Policy 4: Force the users to classify their email. A simple schema of “Public, Internal, Confidential, and Restricted” would work just fine. The Confidential classification could include the sub-classifications “League Office” and “League Teams”. When an email is classified as “Confidential: League Office” it would be impossible to send the email if it contained the email address of anyone that is not identified as a league office employee.
Policy 5: While most correspondence with the NFL League Office could be protected sufficiently with Policy 4, there may be a team policy that says all player transaction information should be classified as “Restricted.” If the user selects the “Restricted” classification, and the recipient(s) are in the League Office, the email would automatically be encrypted before it is sent.
I have left out many other policies that could be enacted, such as those that address email attachments, but had the New Orleans Saints staff been using TITUS and these email policies, they would not have accidentally revealed their player strategy to their competition. So, what are you doing to protect your sensitive information from being leaked via email?
* The Chicago Bears had waiver selection priority over the New Orleans Saints, meaning the Bears may have wanted to select the same player anyway. The Saints’ email blunder may not have changed the outcome but it was still an embarrassing data leak.