Skip to main content
SANS Security Awareness

Utility nav

  • GDPR
  • Support
  • SANS.org
  • Contact
  • Request Demo

Main navigation

  • Products
    • Products Overview Column
      • Products

        Build and mature your security awareness program with comprehensive training for everyone in your organization.

        View Products
    • Security Training Solutions
      • EndUser Training

        Security Awareness training designed by experts.

      • Phishing Tools

        Tiered-template phishing simulation tool designed for all learners.

    • Products - Training Span
      • ICS Training

        Train all learners involved with Industrial Control Systems. 

      • NERC CIP Training

        Relevant Critical Infrastructure Protection training meeting compliance. 

      • Developer Training

        Protect web applications with secure coding practices. 

      • Healthcare Training

        Train learners following HITECH and HIPAA standards. 

    • Events
      • Courses & Summits

        Gain key insights and practical information in security awareness program building from experts in the field with our Summits and training courses. 

      • Summit Recap

        Review top talks from the 2019 SANS Security Awareness Summit in San Diego.

  • Why SANS
  • About
    • About Overview Column
      • About

        SANS has been around as long as the Internet. Learn about our history, experts and events around the world.

        Read About SANS Awareness
    • About Column 1
      • Our Experts

        World-class experts covering every aspect of security awareness and defense.

    • About Column 2
      • History

        Read about the SANS Security Awareness legacy.  

    • About Column 3
      • News

        Check out what’s going on with SANS Security Awareness in the news.

  • Reports
  • SSAP Credential
  • Blog
  • Resources
    • Resources Overview Column
      • Resources

        Looking to build and mature your security awareness program? These resources will enable you with the topics and techniques to improve your learner’s awareness in security.

    • Resources Column 1
      • Blog

        Read from subject matter experts and guest authors about the latest going on in security awareness.

      • Events & Webcasts

        Gain key insights and practical information in security awareness program building from experts in the field with our Events & Webcasts. 

    • Resources Column 2
      • Posters

        Developed by the community for the community. Download and share these awareness posters with your organization.

    • Resources Column 3
      • OUCH! Newsletter

        The world leading security awareness newsletter. Offered in multiple languages, created by a community of experts.

Mobile Menu

September 2016 • The Monthly Security Awareness Newsletter for Everyone

Email Do's and Don'ts

Email is still one of the primary ways we communicate, both in our personal and professional lives. However, we can quite often be our own worst enemy when using email. In this newsletter, we will explain the most common mistakes people make with email and how you can avoid them in your day-to-day lives.

Auto Complete

Auto complete is a common feature found in most email clients. As you type the name of the person you want to email, your email software automatically selects their email address for you. This way, you do not have to remember the email address of all your contacts, just their names. The problem with auto complete is that when you have multiple contacts that share similar names, it is very easy for auto complete to select the wrong email address for you. For example, you may intend to send an email with all of your organization’s financial information to “Fred Smith,” your coworker in accounting. Instead, auto complete selects the email address for “Fred Johnson,” your neighbor. As a result, you end up sending sensitive information to unauthorized people. To protect yourself against this, always double-check the name and the email address before you hit send.

Replying to Email

OUCH! Sept 2016 Email Do's and Don'ts
You can be your own worst enemy when it comes to email. Slow down and double-check what you're sending and to whom.

Most email clients have two options besides ‘To’ for selecting recipients: ‘Cc’ and ‘Bcc.’ Cc stands for “Carbon copy,” which means you want to keep people copied and informed. Bcc means “Blind carbon copy,” which is similar to Cc; however, no one can see the people you have Bcc’d. Both of these options can get you in trouble. When someone sends you an email and has Cc’d people on the email, you have to decide if you want to reply to just the sender or to everyone that was included on the Cc. If your reply is sensitive, you most likely want to reply only to the sender. If that is the case, be sure you do not use the ‘Reply All’ option, which includes everyone. With a Bcc you have a different problem. When you send a sensitive email you may want to privately copy someone using Bcc, such as your boss. However, if your boss then responds to your email using Reply All, all of the recipients will know that you secretly copied your boss on your original email. Whenever someone Bcc’s you on an email, do not Reply All, only reply to the person who sent the email.

Distribution Lists

Distribution lists are a collection of email addresses represented by a single name, sometimes called a mail list or a group name. For example, you may have a distribution list with the email address group@example.com. When you send an email to that address, the message gets sent to everyone in the group, perhaps hundreds or even thousands of people. Be very careful what you send to such a list because so many people may receive that message. In addition, be very careful when replying to someone’s email on a distribution list. You may intend your reply to be sent to just the individual sender, but the list may automatically include everyone, meaning hundreds (if not thousands) of people are now reading your private email. What can also be dangerous is when auto complete selects a distribution list. Your intent may be to email only a single person, such as your coworker Carl at carl@example.com, but auto complete might accidentally send it to the distribution list you subscribed to about cars at cars@example.com instead.

Emotion

Never send an email when you are emotionally charged. If you are in an emotional state, that email could cause you harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment and calmly organize your thoughts. If you have to vent your frustration, open Microsoft Word or a text editor and type exactly what you feel like saying. Then get up and walk away from your computer, perhaps make yourself a cup of tea or go for a walk. When you come back, delete the message and start over again. Or better yet, pick up the phone and simply talk to the person, or speak face to face if possible. It can be difficult for people to determine your tone and intent with just an email, so your message may sound better on the phone or in person.

Privacy

Finally, remember that traditional email has few privacy protections; your email can be read by anyone who gains access to it. Think of email as being similar to a postcard. In addition, once you send an email you no longer have control over it; you can never take it back. Your email can easily be forwarded to others, posted on public forums, released due to a court order, or distributed after a server was hacked. If you have something truly private to communicate, pick up the phone. It is also important to remember that in many countries, email can be used as evidence in a court of law. Finally, if you are using your work computer for sending email, remember that your employer most likely has the right to monitor and perhaps even read your email when using work resources. Check with your supervisor if you have questions about email privacy at work.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

In This Issue

Auto Complete
Replying to Email
Distribution Lists
Emotion
Privacy

English
OUCH-201609_en.pdf
Arabic
OUCH-201609_aa.pdf
Bahasa Indonesia
OUCH-201609_ba.pdf
Bulgarian
OUCH-201609_bg.pdf
Chinese, Traditional
OUCH-201609_cn.pdf
Danish
OUCH-201609_da.pdf
Dutch
OUCH-201609_nl.pdf
Farsi
OUCH-201609_fa.pdf
French
OUCH-201609_fr.pdf
German
OUCH-201609_de.pdf
Hebrew
OUCH-201609_he.pdf
Hungarian
OUCH-201609_hu.pdf
Italian
OUCH-201609_it.pdf
Japanese
OUCH-201609_jp.pdf
Korean
OUCH-201609_kr.pdf
Latvian
OUCH-201609_lv.pdf
Lithuanian
OUCH-201609_lt.pdf
Norwegian
OUCH-201609_no.pdf
Polish
OUCH-201609_po.pdf
Portuguese
OUCH-201609_pt.pdf
Romanian
OUCH-201609_ro.pdf
Russian
OUCH-201609_ru.pdf
Serbian
OUCH-201609_se.pdf
Spanish
OUCH-201609_sp.pdf
Turkish
OUCH-201609_tr.pdf
Urdu
OUCH-201609_ur.pdf
Guest Editor
Thumbnail

Robert M. Lee

Critical Infrastructure, Cyber Warfare Expert
Robert is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was
Twitter
RobertMLee

Subscribe to OUCH!, our Monthly Security Awareness Newsletter

Get monthly content to keep you up to date on the latest Security Awareness News and Tips.

The SANS Institute provides training related to cybersecurity and the safe use of technology within your organization. To provide this training, the SANS Institute captures and processes personal data and as such has been identified as a “controller” of your information.

The information provided to SANS Institute for training purposes may include name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region. The SANS Institute may also collect data about devices and software used to access the training and training systems; this data includes browser version, operating system version, IP addresses, access times, connection duration, and other browser analytics. As training is delivered, the SANS Institute processes and stores data associated with training assignments, completion, and scores on any learning activity that is delivered. SANS may also utilize third party processors to provide these services.

If your information is provided by your employer, this information is used as part of the initial or ongoing training cycle. The purpose for collecting this data is to allow the SANS Institute and your employer to assign, deliver, record and report on your cybersecurity training. Your information and training records will be shared only with you and your employer.

At any time you have the right to receive a copy of the personal data you have provided to us in an electronically readable format.

A data protection regime is in place to oversee the effective and secure transmission, processing, storage, and eventual disposal of your personal data, and data related to your training. The SANS Institute will retain your data until you request that it be removed, after which it will be securely disposed of. The SANS Institute will never sell your personally identifiable data and will only share your personally identifiable data with SANS cyber security solutions partners when you provide agreement to do so.

When you consent to us using your information for the purposes of sending you information on SANS products or services you are providing us with your consent to send you materials detailing our products and services that we consider will be of interest to you, based on your use of the educational material that we provide as resources. We profile you this way to make the materials more relevant to you. We will only send you information on products from within the SANS services portfolio.

If, at any point, you believe your personal information to be incorrect, you may request to see a copy of your data, ask to have the errant data corrected, or ask that it be securely disposed of. If your information is provided by your employer, the SANS Institute will work directly with your employer to promptly address the matter. If you wish to raise a complaint or concern, or have questions relating to GDPR, please contact the Data Protection Officer via gdprprivacy@sans.org.

SANS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

You may, at any time, withdraw your consent; to do so, please contact gdprprivacy@sans.org.

The SANS Institute is a U.S. company founded in 1989 that specializes in information security and cybersecurity training. All information provided to SANS Institute will be transferred to and processed in the United States. The SANS Institute is committed to comply with the Privacy Shield Framework which has been found adequate by the European Commission to enable international data transfer under EU law. For more information, please see www.sans.org or contact gdprprivacy@sans.org.

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.
SANS Security Awareness

301-654-SANS (7267)
Monday-Friday, 9am-8pm EST/EDT

Social

  • Facebook
  • Twitter
  • Linked In

Footer

  • Products
  • Why SANS
  • About
  • Reports
  • Resources

Footer utility

  • Support
  • SANS.org
  • Contact
  • VLE Help

Stay up-to-date on the latest security awareness news and tips. 

Subscribe to our monthly newsletter, OUCH!

Subscribe Now

Copyright Nav

  • ©2018 SANS™ Institute
  • Privacy Policy
  • Trademark Usage Policy
  • Credits