Now you’re getting it

In December I set up a rule on our outbound email to let me know when people are sending Social Security Numbers in outbound email. Once I was satisfied with the accuracy of the rules, we set up some education for our physical security and HR Recruiters so they would understand why its a bad idea to send SSNs and what some alternative choices are . Once our big offenders had been notified I enabled a notification to the sender to let them know why emailing SSNs in plaintext is a bad idea. After about a month of that I reconfigured the rule so it blocked the email and notifies the sender.
One person who I believe is a finance manager got blocked while attempting to email papers for a personal mortgage refinance. A hilarious rant was sent to the helpdesk saying that if that people can read non-encrypted emails then non-encrypted email cant be used for business mail such as emailing a credit card number to enroll in a conference or when sending resumes that include SSNs.
Its so nice when the user gets it. Although I would have appreciated a ‘thanks for stopping me from shooting myself in the foot” tone instead of misplaced moral outrage.
I replied that she’s absolutely right. She should never be sending credit card numbers by email either. Some of the project/customer related data’s secrecy is dependent on the requirements of the customer and talking to the project lead about how to handle customer data would be appropriate. Unfortunately the company can’t allow emailing of SSNs.


  1. “… what some alternative choices are.”
    Roger, you might list them, even though they may be ‘obvious’ to some.

  2. sounds like a good idea for another blog entry. This one was intended to be more like ComputerWorld’s SharkTank in tone not instructional.

  3. Back to the whole idea of the “human firewall” … excellent concept to include awareness/training (an administrative control) along with the firewall settings (a logical control).

Comments are closed.