Outdated and ill advised: How not to do email security

You've probably heard of security by obscurity, but one company's email policy takes it to the extreme

Outdated and ill advised: How not to do email security

I never cease to be amazed at the technology gaps in certain industries. Employees have to put up with woefully outdated methods, from insufficient networking to clunky hardware. Yes, it can be tough to keep up with the changes that happen in the industry, but some lapses are simply confounding.

About a year ago, I was on a temporary assignment at the headquarters of a large institution. My job was to help automate some tasks by designing reports that would help in the company's decision-making processes.

After assessing the needs and deciding what data I would require to make the custom reports, I prepared a list of what departments would need to give me feedback. My contact then provided me with a list of contacts from each department.

Data in, data out

I set up a meeting with the department representatives, and I outlined what the reports would be, what information it would show, and how the data would be merged to construct it. Each person would email the necessary data from their department to a temporary email address that IT had established for me on the network, and I would take it from there.

The next day, data started to arrive in my inbox from all but one department. I was about to contact the person regarding the missing data, but at about 10 a.m. that day I returned to my desk to find it had been delivered in the form of hard copies of Excel spreadsheets that contained the necessary information.

That seemed odd. Sure, I could retype it all into the database that I had created, but I had hoped to set up links to the sheets for better automation. I decided to check with the employee and see why that group hadn't forwarded the data by email.

Communication gap

I asked why he hadn't emailed the data rather than give me a hard copy and was blown away by the reply: The employee had no access to email. Nobody in their department did -- only the supervisor!

Asking around, I found out the reason this department didn't have email access: It was considered a security risk because this department dealt with large corporations and their records. Never mind that there weren't any checks in place to stop the removal of hard copies.

I spent some time gathering information on the concerns, workflows, and other details about email for this department. With the benefits far outweighing the drawbacks and the fact they were automating more and more of their tasks, the Powers That Be gave the go-ahead to establish a security policy and tight controls, with the upshot of granting this department email access.

I guess there is always a company that steers clear of the bleeding edge of technology. But I never thought I would come in contact with one that trailed at the end of the line.