HIPS Series > Safer Emailing and IMing, part 1

How to take this course

Email services bring many benefits.  It's an easy and convenient way to communicate with colleagues and with customers.  But email is not an inherently secure medium of communication.  It poses large security risks if used improperly.

Correct email use is a matter of professionalism.  What you put in email reflects on you, and on the organization for which you work.  It is also a matter of liability.  You can break the law or risk a lawsuit if you are careless with email.  We are not kidding.

The average professional worker spends hundreds of hours a year sending and receiving thousands of emails.  Even a small improvement in one's email skills can save a lot of time.  It can also result in significant improvements in information security for your organization.

Instant messaging (IM) use is growing fast.  It may someday supplant email as the dominant workplace communications tool.  Using it safely and efficiently is also critical.

Email is so easy to create and send that you may be tempted to think of it as "informal" communication.  It's not.  If you send email as part of your work activities, you are generating official documents.

Commitments made in email can sometimes be considered as contractually binding as those put on paper.  More generally, all email messages exchanged by an organization's employees can be considered part of the company's official records under federal and state laws. 

Some of those laws require that email be retained for inspection by legal-regulatory bodies.  Email can be -- and increasingly is -- used as evidence in civil and criminal proceedings.

Instant messaging (IM) is a newer means of communication than email, and its legal status is accordingly less clear.  But, as a general rule, you should assume that IM you send as part of work activities also has the status of an official document. 

You should assume that IM traffic at work may become part of the company's official record, and so be subject to retention and inspection for legal-regulatory compliance.  You should assume that IM traffic could potentially be used in a civil or criminal proceeding too.

Although we will not discuss it in as much detail here, IM has many of the same technical characteristics as email -- including vulnerabilities to interception unless offered through a secure system.  Be careful!

Also remember that IM, like email, creates a permanent record of what was "said."  While it may seem as informal as a telephone exchange, it's like a telephone call for which a permanent, searchable transcript is being generated.

You may be tempted to think of email as a secure means of communication.  Not so.  Email is best understood as an electronic postcard.  Email messages are typically sent as plain text files, relayed from computer to computer over relatively unprotected networks.  (These computers are called "servers" and are usually also engaged in transferring other content over the network-of-networks known as the Internet.)

Most email gets to its destination safely and without undue delay.  But you cannot generally control or predict the path a particular message will take, nor how long it will spend at various intermediate stops.  While some technical protections exist to prevent interception by third parties, you cannot really control or predict who may see a message along the way.

Email messages are usually stored in a variety of places -- the sender's computer, the computers of all recipients, and perhaps also in some of the server computers that routed it from origin to destination. 

Each of these locations is a potential "leak."  Not all servers are as secure as they should be.  And most persons' personal computers are not secure at all.

An email message can have a very long life on a server or its archived backup files.  It's best to think of it as existing forever.  If any of these storage locations lacks appropriate safeguards, the message is vulnerable to leaking over that long life.  It may even come to be detected on public search engines.  (Looking for such leaks is called "Google hacking" -- but you can do it with any search engine.)

It's not all bad news.  Email systems that use encryption techniques can provide secure network pathways and protect messages.  These secure systems can make it virtually impossible for a third party to intercept an email message along the way.

This does not guarantee email security!  If the computers of the sender or receiver are not fully protected -- or anyone is simply careless -- the message is still at risk.  (It's a little like hiring an armored car to transport your money, then leaving it in an unlocked room.)

You should determine what level of email security is available to you at your workplace, and for what kinds of communications.  Some email systems may be able to provide satisfactory security for messages sent within the organization, but not for those sent outside it.

No matter what kind of email system you use, it is essential to take steps to protect your own computer.  Too often, it's the weakest link.

Given all this, we have a very simple general rule for use of email:  Think before you type.  Think again, after you type, before you click on the SEND button.  Once you send a message, it is virtually impossible to get it back.

Please understand that we are not trying to get you to stop using email.  We just want you to be (more) careful when you do.  The ease of sending email tends to make people careless about what they put in it.

Never forget that when you are using a workplace email system you are creating an official document. It is a document that may:

• have legal consequences, including use in a civil or criminal proceeding;
• live effectively forever on various file backup copies;
• be viewed by many persons beyond those to whom it is addressed;
• be subject to inspection by your employer at any time, and possibly by numerous legal and regulatory authorities too. 

If you are a pessimist by nature, you won't put anything in an email message that you wouldn't want to see trailing from an airplane banner or featured on the side of a blimp.

We don't think you need to go quite that far.  But obviously you should never, ever send material that could be considered defamatory, harassing, racist, sexist, obscene or otherwise offensive.  

Always keep the audience in mind.  Not just the immediate one, to whom you've sent the message, but also those who might receive your message second-hand via forwarding or copying.

Remember that kinder, gentler, polite-r email is also safer email.  It keeps you out of trouble, and may help you keep your job.

Aside from staying away from potentially offensive content, you obviously need to worry about the confidentiality of what you send.  In light of email's generally lower level of security, some things just shouldn't be sent by email.

It's generally a bad idea to send sensitive personal information like social security numbers, credit card numbers, and the like.  Neither should you send computer user-IDs and passwords.

Every organization will have email policies that outline the specifics with respect to sensitive internal data and legally protected information.  We generally recommend sending only limited amounts of sensitive material via unsecured email -- and never an entire file or record set.

If you have access to a secure email system, you can be less restrictive.  But, again, remember that even a secure email system can only protect content during the journey.  If the email goes to an insecure destination, like a vulnerable personal computer, it is still at risk.

What else can you do to promote safety, as well as kindness and gentleness?  It helps to be concise and to the point.  Most people already get an overwhelming volume of email.  It'll usually be appreciated if you keep yours short and sweet. 

Try to consolidate the messages you send.  If someone sends you several emails on the same subject, read them all before replying.

Brevity does carry some risks.  You won't be there when the email is read to explain what you really meant.  So if there's a lot to say, or you are worried about a recipient's reaction, consider picking up the telephone.  There's less chance of misunderstanding. 

You generally shouldn't rely on abbreviations like "LOL" or emoticons like smiley-faces to convey feelings. However helpful these may be to convey emotional nuances, they are often inappropriate in business emails. (If you must use them, limit it to correspondence with persons you know well, for more informal exchanges.)

We can't stress enough that you are judged by the quality of what you send -- and that includes the details of grammar and spelling.  If you don't pay attention to these details you are going to look stupid.  Or sloppy.  Or both. 

Luckily, most email systems now include a spell-checker, and some will check for grammatical errors.  Use these features whenever available, but don't rely on them to catch every error. 

Don't obsess about format, but make sure your messages are easy to read too.  Short paragraphs, with blank lines between, are usually a good idea. 

Go easy on CAPITALIZATION and punctuation marks like "!!!!!!!!".  These can be hard on the reader's eyes.  As with emoticons, however useful it may be for emotional communication such punctuation looks unprofessional.

Technical protections against email interception don't work if you send email to the wrong address -- and it's an easy mistake to make.  All it takes is getting a single character wrong on that TO line. 

If you're lucky, your message will just bounce back with an "invalid address" error.  If you're not so lucky, the message will be in a stranger's inbox before you can blink.

It's the same as getting a telephone number wrong -- except with a phone call you generally know right away that it's an invalid number or the wrong person, before you say anything sensitive.  With email, you won't know until it's too late, if indeed you ever know at all.  (Faxes share this problem -- which is why verifying a fax number before sending is also critical.)

Obviously the same care about addresses must be used with recipients you designate to receive CC "copies" and BCC "blind copies."

BCC is appropriate when you are sending to a large group, and want to respect privacy by not revealing recipients' addresses to each other. (The "suppress recipient list" option on some systems achieves the same effect.)  BCC may be legally required if a recipient's presence on an email address list would reveal something confidential to the rest of the group. 

Absent such privacy concerns, it is generally inappropriate and rude to use BCC to add "stealth readers."  Use CC instead or, better yet, just put everyone on the TO line.

You can avoid address errors by replying directly to a person's last message to you.  Another solution is to use your email system's built-in address book or directory.  Some email systems will even automatically "guess" the address you want as you type in the first few characters on the TO, CC or BCC line.

Be very careful!  The "automatic" methods can create as many problems as they solve.  The computer's guess may be the wrong one -- for example, if you have several address entries for similarly-spelled names, the computer may pick the first one that matches. 

No matter how you get them, it is imperative that you check the TO, CC and BCC fields for correct addresses before you click on SEND.

Many people use the SUBJECT field to identify a particular message from among the hundreds or thousands in their inboxes and folders.  Please help them by entering a brief, descriptive subject for every email you send. 

This will also help recipients identify spam, spoofs and hoax messages -- which often have subject lines that are a bit "off topic" (or just plain weird).

If you're replying to a message and sticking to the same topic, don't change the SUBJECT line.  That will help your recipients keep track of the messages for a particular email thread.  However, it's important to change the subject if the topic really has changed -- such as when you are replying to an old message just to get the address right.  Don't be lazy about this.

If you have a formal relationship with a recipient, begin with "Mr.", "Ms." or a title like "Dr.", the same way you would in a letter.  For colleagues you know well, more informal greetings are fine -- e.g., "Dear Donna," or "Hi Donna".

Although there are different opinions on this, we strongly recommend including a greeting unless you're sure the recipient prefers that you get right to the point.  Typing a greeting takes very little time.  If you're going to err, it's generally better to err on the side of politeness.

There is a benefit beyond politeness.  Another way to identify a spoof or spam message is by a greeting that doesn't match what a correspondent would normally employ. 

It is also good practice to include "signature" text at the end of each email, unless you are sure the recipient has your contact information.  Don't make your correspondents conduct a search for this data when they need to follow up an email with a phone call, fax or postal letter.

Most email systems allow you to store at least one signature that will automatically be appended to outgoing email.  (Some will allow you to save multiple signatures, with one to be the default.) 

In addition to your postal address, fax and telephone numbers, the signature should include your formal title and the name of the organization you represent.  Don't assume the recipient knows!

You can delete all or part of of your signature should it be unnecessary for a particular email message -- e.g., one to a close colleague who doesn't need to be reminded of your title.  (However, even a close colleague will appreciate not having to look up your telephone number if he/she needs it.)

Note that religious and political sentiments, inspirational quotations, cartoons, etc., are usually inappropriate in signatures for business email.  What you want to put at the end of your personal email is up to you, but don't indulge in advertising at work.

Attaching files that contain documents, spread-sheets, presentations and other data is a very convenient way to exchange information via email.  It is also dangerous, and should always be undertaken with caution.

Remember that an attachment, like the email carrying it, can travel far and wide after it leaves your computer (and may have a very long life).  Consider whether anything in an attachment might be too confidential for this fate.  If you are not certain about the full contents of an attachment, you probably shouldn't be sending it onward.

Remember also that files created by office software may contain hidden information -- like author, date created, organization, and, sometimes even a history of changes -- that is itself confidential.  Observe safety precautions to remove this information.

There is another risk.  Attachments can contain viruses and other malicious software (malware).  Don't pass along files that haven't been scanned by up-to-date anti-virus software.

Malicious software cannot be embedded in plain text.  Instead of an attachment, send information as plain text whenever possible, embedded in the message itself.  This will also prevent sending sensitive hidden information by mistake.

Always include a message with your attachments.   Spammers often make up plausible sender names, and malware can take over the email of an infected system, appearing to send messages from a trusted source.  Lack of a meaningful message is a good way to spot an imposter.

If the information in an email is confidential, many organizations require that you include an appropriate email disclaimer and confidentiality request.

Do not rely on this!  If you send email to the wrong place or forward it inappropriately some damage has already been done.  Also, the legal protection that such notices actually provide is uncertain.  It definitely won't excuse negligence.

When anything confidential is included in an email, you should always ask yourself two questions:  "Do I really need to send this information via email in the first place?"  And, if so, "Am I sending only what-s needed -- the minimum necessary -- to get the task done?"

Most email systems offer the ability to signal a priority to the receiver -- such as with !!!! symbols.  But many users ignore priority symbols, as well as words like URGENT and IMPORTANT in subject fields.  If it's really a high-priority message, you should consider picking up the phone.  Not everyone reads their email promptly.

Most email systems also offer the ability to get a "delivery receipt" or a "read receipt."  Again, we have bad news.  These don't always work well.  "Delivery" sometimes just means the message was relayed to the next email server computer, not that it got to its final destination.  And read receipts are sometimes blocked or unsupported by a recipient's email system.  If you really need to know what happened to a message, pick up the phone.

This point is worth reiterating.  Some people check their email very frequently -- indeed, with a smart cellphone like a Blackberry, they may be available on email virtually around the clock.  Others check email only occasionally.  Urgent messages are not suited to email, unless you are sure the recipient is in the former group.

Earlier in this course we told you that the general suggestion for email is to "think before you type" and to "think again, after you type, before you click on the SEND button."  That's worth repeating.

When you're about to make that final click, ask yourself:  Are all the addresses correct?  Is all the content correct, and the language appropriate?

Remember that it is virtually impossible to get a message back.  Even if your email system has a RECALL feature, you cannot rely on it.  These usually just send another message, indicating that you want to disavow the previous one. 

It's generally better to send the corrected message with an explanation.  And much better still to get it right the first time.  Recalls only confirm that you were a careless correspondent.

We've covered practices for email you send in this first part of email course.  The second part addresses practices for email you receive, and concludes with some general advice about email (and IM) use in the context of today's workplace communications options. 

Don't be discouraged.  Part 2 is shorter.  

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The second part of this course is here.

•  •  •  •  •