The best email security comes through strategy and tactics

pixel_dreams - Fotolia

What's the best corporate email security policy for erroneous emails?

If an employee receives invalidated emails, should the corporate email security policy handle it? Expert Matthew Pascucci discusses the rights of the enterprise.

I read about a security issue where a person in Australia received over 200 emails from Uber about completed rides in Kenya, and this raised some questions. If an individual receives account-related emails on their corporate email address for accounts they didn't actually create, what steps, if any, should be taken? What responsibility does the enterprise security team have?

The issue here is that Uber doesn't verify email addresses, and these erroneous emails were being sent directly to a different user who was able to view private information on the real customer.

With that being said, if there are multiple emails incoming to an organization regarding accidental sign-ups or verification, it is an enterprise's right to block these incoming messages without question.

Unlike personal email, which the user has control over, corporate email security is the responsibility of the enterprise for which the employee works. This account, the emails and everything associated with it are the property of said organization.

If there is ever an issue with emails accidently being sent to the company and affecting it adversely, the company has the right to block these emails in its mail gateways or spam and phishing filters as part of the corporate email security policy.

The first step to remediating this issue would be to validate the inbound email. Also, you should determine if this email is something about which a user has asked their mail admins or if is it something the mail team noticed.

It's possible to unsubscribe from these emails if they're active, but if they keep flowing, the only recourse may be to block the address at the spam gateway.

If a similar situation to the Uber instance occurs, a mail admin can make a dedicated rule in the spam gateway to exclude the messages from being delivered to a particular mailbox. The user won't realize it was sent, and would no longer have accidental emails flowing into their inbox.

It's possible that these messages might have already been tagged as spam by a web filter based on the thresholds and reputation of the sender, but if not, it's not difficult to deny these emails and limit the damage to a user's mailbox. Depending on the location of a spam filter, in the cloud or on premises, the number of emails sent would have to be reviewed to determine if resources on the gateway are a concern for daily operations and corporate email security.

From an ethical standpoint, and in this case, it would be worth contacting Uber's support team to notify them that you're receiving these erroneous emails. If this can be done without introducing a privacy issue for the intended user, it would be ethical to try and resolve it for them. But if it means digging into an account that isn't yours, it's best to stay away from it.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out if you need both an email security gateway and a web security gateway

Learn how to choose the right email security gateway

Discover the best training techniques to deal with phishing

This was last published in March 2017

Dig Deeper on Threats and vulnerabilities