Early this year, we strongly recommended that banks changing their mindset when it comes to protecting against hackers (HERE). Instead of thinking of IT perimeter security, banks need to assume the bad guys are going to get through their perimeter defenses and need to design their system in order to compartmentalize information. We even provided banks our cyberattack plan that would have been helpful for any bank that found themselves in Sony’s loafers. Today, we bring up another tactic that banks should consider in order to mitigate risk – keep your emails transparent.
Stripe is a payments company that has a stated policy that private emails should be the exception rather than the rule. Employees are asked to cc any work-related emails to topic-specific mailing list that are then captured (you can use Google Groups) and searchable by any employee. Employees can subscribe to any list and best practice dictates that employees set up lists to go right into an archived folder to be read during their own time. Because information was available for all to see, employees are trained on what proprietary information is and what is not. The combination of added trust and added training reportedly results in less, not more private information being shared outside of the Company.
The results are several fold. First, since most all emails are transparent, the Company found that email was used more sparingly and more professionally. Second, more information was shared, so communication improved, less feelings were hurt for not being included and office politics were kept to a minimum. Now, any employee that wanted to know about a certain project or initiative could. Less management layers were needed and fewer meetings took place as a result of more people being informed and communicating via email.
Finally, security improved. There was private information being shared and the information that was private (like customer information) underwent another layer of encryption that further secured and compartmentalized the information. In other words, unlike banks, even customer information was secured internally. In short, banks could create a process whereby employees automatically manage confidential information and choose either not to put private information into writing or creating an extra layer of security. In addition to security benefits, it just might make all employees more productive which could be the greatest counter-hack of all.
Submitted by Chris Nichols on December 30, 2014