Accountable Email Communications | Smart Thinking Solutions

Today, I want to look at one of the fundamentals of cyber security – accountability – in particular, I want to talk about email communications.

Email communications

Nearly thirty years ago, I sat in on a meeting of senior solicitors as they got to grips with how they were going to use email. They were in the process of moving from secretaries with word processors and very limited email use, to everyone having a Windows 95 computer and an email address. The issue the meeting was dealing with was the use of email when it came to legal advice. Before email, it was easy – a letter on paper, which was checked, signed by an authorised solicitor with ink and sent out, with a copy for the file. Now what would happen in the age of electronic mail? A policy document was eventually written, which worked for them then, but of course over the years the technologies moved on and today there is no issue with a pdf attached to an email being legal advice, no ink and the only copy being electronic in the CRM.

Email communications today

Both Microsoft 365 and Google Workspace have comprehensive logging, giving a layer of accountability for email transactions, but a few notes in your computer use policy and a few tweaks to the reporting will improve your accountability and cyber security.

Personal email addresses

The use of personal emails to carry out business should be prohibited. Surely this does not need much explanation.

Email apps

On tablets and phones use the Outlook app not the native email app.

Email forwarding rules

One of the things threat actors need to do to carry out a business email compromise attack successfully, is to set up forwarding rules so the malicious emails can be concealed. Our support team will set up an alert for clients, that is triggered whenever anyone creates an email forwarding rule, so the legitimacy of that rule can be checked.

Simple but effective

This advice seems simple but often when I am carrying out IT and Cyber Security Audits, I discover people using personal email accounts for business use because it is easier for them. But it is not difficult to set things up to use accountable channels – it may be more difficult to get people to change their habits.

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.