Jump to content

Implementing Corporate Email

Recommended Posts

So the company I work for decided to implement a corporate email next week, We will have a seminar about the policies concerning the Do's and Don'ts when using the corporate email

I also plan to launch a social engineering exercises to know whether they learned to use our corporate email or not

also to know if where are vulnerable to such attacks.

I just wanted to know your opinions if I'm on the right track or launching a social engineering attack for these kind of thing are a total waste of time and resources

I work for a small to medium size bank and we are currently using our personal mail for transactions.

Link to comment
Share on other sites

I work for a small to medium size bank and we are currently using our personal mail for transactions.


I shouldn't be surprised since I did some work for a dutch top-3 bank once and... well let's just say I'm happy not to be banking with them.

Can't find any reason why you shouldn't test the workforce to see if they adhere to the policy. Since it's a completely new thing you'll probably find in this process the ways by which the workers are trying to circumvent the policy and why, allowing you to tune your policy to the day-to-day reality where needed, and to implement processes that verify the following of the policy when unwanted.

With any new policy, if you have one big meeting where the policy is explained and maybe a hand-out for the workers about the new status quo, what you'll really end up with is a workforce that keeps on doing things the way they used to, with one more piece of paper tucked away in their desk somewhere (if you're lucky). Change takes time and you should give it that. So have the meeting. Give the handout. Ask for feedback on the new process (specifically asking for areas of improvement they may have spotted) maybe a week after and if nobody gives any you either did an amazing job or not a single fuck was given and nothing has changed. Inform the workers about the feedback you've gotten and what you plan to do with it (and keep them posted on its progress). About a month after that sporadically do your social engineering thing to see if specific worker bees are really adhering to the policy.

You may need more than 1 meeting and a location on the intranet where you can store the document aswell in case someone 'loses' their handout copy.

The main thing to remember about the policy is that the workforce *HATES* that shit with a passion. What you're effectively doing to them is getting in the way of them doing their job. No, I know you're not, but that's how they will see it. Approach it from their perspective and make sure they understand why it's in their interest to do things the correct way. What the real dangers are of retaining the old process and how what you're now doing not only mitigates those dangers, but makes it so much easier for them to do what they used to be doing - you're not getting in their way, you're letting them do things more efficient. If you can do that you'll find that people will be a LOT more willing to accept the policy.

As a simple anecdote, at my work right now the security hounds are pushing to move our test server away from our local dev lan to a remotely hosted location because if a plane were to crash into the building the server would be destroyed. While there might be an actual chance of this happening, why does that mean that the latency of this very, VERY busy server should go up at least tenfold, impacting our daily work negatively in a very big way? Why can't they include the server in the nightly backup round (answer: because it's not officially hosted... insert suggestive hand motion)? Being the crafty critters that we are, we still use the same server but have configured it to upload our changes nightly to the main, remotely hosted server or whenever someone who needs the latest version of our stuff complains. This is the shit you're up against.

Link to comment
Share on other sites

Saw an excellent talk on this topic the other day which I would copy closely

As Cooper says, the important thing is to play carrot, not stick. You should be continually encouraging and helpful rather than just bemoan the people who will always click the link because the subject says "free".

Link to comment
Share on other sites

  • 1 month later...

One other thing you will need is managment who will back you and any policies up. One of the problems we have had with corporate email is not technology change, its changing human behaviour. Including ones who ignore what the IT/Security/Tech part of the organization instructs them to do. Especially if there is a culture of letting certain ones to circumvent the policies because they are a "good guy."

Good luck, the testing out the social engineering is the usual way to find weakenesses in the chain/departments.

Link to comment
Share on other sites

In certain environments, like the bank in his case and healthcare in my case, security has the luck of being the starting point for pretty much everything. There's not much "we'll just wing it" going on here.

It's either safe, or it will be with the next (patch)release which will be in the fairly near future, you're going to have to specify a date here and now and you're going to make that deadline - no ifs, buts or any of that.

In environments where IT is more something to manage the periphery of the business, it's a much harder sell.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...