My email address is [CENSORED]
In this week's column, Davey Winder looks at whether businesses should keep email addresses secret.
How public should your email be? That's a question many of us do not really think about, especially within the world of business.
After all, your email address is really no different to your street address, is it? The closest dictionary to hand on the iPad I am writing this on (WordWeb if you are interested in such things) confirms my understanding that an address is defined as "the place where a person or organisation can be found or communicated with," be that a geographic location or something non-corporeal such as a web or mail server that exists in the cloud.
The point being that an address, be it office, web or email, exists to enable your customers to contact you. So why is one security vendor warning business users that revealing their email addresses is a security risk?
Now that, it seems to me, is something on a backwards approach to the phishing problem.
Here's what Websense Security Labs has to say on the matter after conducting research into the number of email addresses appearing on Twitter: "Thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter." The company goes on to argue that because those addresses are "connected with their inboxes, social media identities and bank accounts" it leaves business users exposed to "advanced social spear phishing attacks."
Carl Leonard from the Websense Security Labs goes as far as to warn businesses using social media to communicate with customers that they "need to consider ways to ensure that employees are protected from these new threats." Furthermore, employers should "re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter." Now that, it seems to me, is something on a backwards approach to the phishing problem.
To suggest that acceptable use policies need updating to make placing already-public email addresses on social media some kind of hanging offence is, frankly, daft. The warning that cyber criminals could use the addresses, together with associated information harvestable from public services, to launch spear phishing attacks is perfectly valid, but the conclusion is all wrong. What business should be doing, I would suggest, is ensure employees are sufficiently aware of the risk of clicking on unsolicited links - an action that has led to many a successful phishing attack.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now