My email address is [CENSORED]

In this week's column, Davey Winder looks at whether businesses should keep email addresses secret.

By Davey Winder, 20 Jan 2012 at 16:11

How public should your email be? That's a question many of us do not really think about, especially within the world of business.

After all, your email address is really no different to your street address, is it? The closest dictionary to hand on the iPad I am writing this on (WordWeb if you are interested in such things) confirms my understanding that an address is defined as "the place where a person or organisation can be found or communicated with," be that a geographic location or something non-corporeal such as a web or mail server that exists in the cloud.

The point being that an address, be it office, web or email, exists to enable your customers to contact you. So why is one security vendor warning business users that revealing their email addresses is a security risk?

Now that, it seems to me, is something on a backwards approach to the phishing problem.

Here's what Websense Security Labs has to say on the matter after conducting research into the number of email addresses appearing on Twitter: "Thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter." The company goes on to argue that because those addresses are "connected with their inboxes, social media identities and bank accounts" it leaves business users exposed to "advanced social spear phishing attacks."

Carl Leonard from the Websense Security Labs goes as far as to warn businesses using social media to communicate with customers that they "need to consider ways to ensure that employees are protected from these new threats." Furthermore, employers should "re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter." Now that, it seems to me, is something on a backwards approach to the phishing problem.

To suggest that acceptable use policies need updating to make placing already-public email addresses on social media some kind of hanging offence is, frankly, daft. The warning that cyber criminals could use the addresses, together with associated information harvestable from public services, to launch spear phishing attacks is perfectly valid, but the conclusion is all wrong. What business should be doing, I would suggest, is ensure employees are sufficiently aware of the risk of clicking on unsolicited links - an action that has led to many a successful phishing attack.

1 2

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

6 comments

You need to Login or Register to comment.

Websense

Would this be the same Websense that has baffled our IT department by blocking legitimate sites on our intranet? In the most recent example, I was unable to access our internal job vacancy site on the basis that it was, "a Job Search site". Surely that is the point of it?

Based on the above article, perhaps Websense's mission in life is to manage risk by stopping all online activity?

By The_Running_Tenor on Tuesday Jan 24

Sense?

Back to the fax

By cping500 on Tuesday Jan 24

Tight Security or not so tight?

Security is a two edged sword.
The more information that is allowed to leak out causes the majority of security concerns.
Most clubs and officials want, I believe unnecessarily, to know every detail of a business or individual.
This is one of the downfalls to openness on Facebook et al and a diminishing attitude to privacy.

Almost everyone has a front door and conventional mail box so communication can be fulfilled.
We believe these to be very secure only because they are adequate under normal security threat.

Putting extra locks on these (for example) so mail threats can not be delivered impedes all incoming mail.
A Post Office Box might be deemed suitable but is not a flawless solution and may even exacerbate security risks.
Without communication a business or person may miss important information that directly affects them. Using Facebook et al in a candid manner may promote business to responsive clients.

Most large business have gates as a perimeter guard, and email should be no exception with a firewall. However, if customers or consumers can not communicate requirements or problems, they will exodus to other company's who do provide these services. Therefore training should be afforded to those receiving and processing data about possible threats and to be aware that they may come from unexpected quarters.
Offshore Staff selling customer bank details and insider espionage are prime examples.

As the internet proves time after time, security breaches to computers connected to the internet have serious security risk. I believe a secure internal computer should NOT be attached to the internet if it is at all possible for the protection of data.
You then have at least one backup that may save your business from collapse if everything goes legs up.

By Lenmontieth on Tuesday Jan 24

Make it easy for customers

Particularly in a down economy, making it harder for customers to find ways to get in touch with you makes no sense. Spam filters are good enough to ensure that you don't get bombarded with too much spam. Make it as easy for customers and you'll benefit in the long run.

By WisdomMountain on Tuesday Jan 24

So..

Davey - what is your email address again?
Or so you limit who has your email address to prevent spam etc. as well as limit how many emails you receive directly through readers rather than them use discussion channels like this or generic Info@..., sales@..., enquiries@... addresses?

Yes websense have gone too far, but limiting exposure of individual addresses should be looked at in terms of a general communication policy.

By CoxJul on Tuesday Jan 31

Awareness of harvesting is poor.

It isn't necessary to keep your address secret, just to avoid (stupidly) exposing it to passing robots.

Main issue here is the sheer lack of awareness of address harvesting by the business community. And, I have to add, the webdesign profession.

That, and Web standards don't exactly help when they advocate the use of insecure mailto: links in HTML. It's time the standards were brought out of the naive 90's and made suitably secure for the bot-infested Web of today.

By Enthiran on Friday Feb 3