Why Shouldn’t I ‘cc’ People?

Every copy you make of information is a copy someone else can steal, and every person you send information to is another person who can lose that information.

Not every information security weakness is technological. Sometimes the little things we do can have tremendous effects on information security. An important example of this is email practices. On one hand, personal behaviors require less technological know-how to institute, but on the other hand, it is easier to get a computer to do something than a person.

These simple changes in email proceedures, requiring no technological adaptation whatsoever, will improve your information security immediately. The underlying logic is reducing the points where malicious actors can access your information.

  1. Delete old emails: Leaving old emails in your inbox, archive or folders creates an inherent vulnerability. The more information that is in your email right now, the more information someone will get if they access your email. As soon as information no longer needs to be in email format, remove it from your email. If you need to archive emails save them in a separate file that is not accessible from your email.
  2. Do not use “Email Someone” links: When you read an article you like, there is often a “send this to someone.” If you use that link, you have just given your “friend’s” email to the organization. Even if that organization is not inherently malicious, that is yet another database where their email can be exposed. Instead, copy the link to your email, and then send it.
  3. Use ‘cc’ sparingly: Every copy of information out there is a vulnerability, and the more distributed information becomes, the more likely someone has it who does not value the information itself. Sending out emails on blast, cc’ing supervisors to “keep them in the loop for situational awareness” is one more place where malicious actors can get that information. Organizations constantly forwarding information are essentially sieves, because there are so many access points, every point equally valuable, but not every point equally well defended.
  4. Only forward email when necessary: See above.

While information security has an important technological component, our behaviors contribute just as much to security. Taking a little time to think through ways we can make ourselves safer, and those around us, will go a long way towards improving our information security.