Ok, maybe they aren't evil, but they are pretty scary. I arrived at work this morning after a 3 day weekend to discover that an employee had sent an e-card to lots and lots of our users. We have about 5000 employees most of which have an email account. The user doesn't have access to the global email group but was able to send it to a lot of people by selecting different groups that they did have access to plus individual accounts.
As I said, when I saw the e-card in my inbox and noticed that it had also gone to lots of other users I got that sinking feeling in the pit of my stomach. My initial reaction was to send out an email to everyone telling them not to click on the link to view the card. Then I noticed that the card was sent Friday afternoon around 3:30. Too late. If this was malicious then the damage was already done. The good news was that I had not heard of any thing going awry over the weekend. Of course, since lots of people cut out early on Friday there was a good chance that this morning would be the time to fear.
Before I reacted rashly I decided to check out the link to see if it was malicious or not. I did a search on the e-card company. It was one I was not familiar with. Nothing bad came up. I then went to the site and looked around. It looked OK. Then I took the next step and put in the e-card number to view it (all of this was done in a safe environment). Whew, nothing evil appeared. It was a Thank You card for something that the company had done for her.
Of course there is a "dark" side to this. We don't state in our email policy that it is against the rules to send e-cards but we do state that email is to be used for "business purposes". So the user did "break policy". What is really bad though is this.
- By doing this the user (who has a supervisory role) has told their subordinates and others that it's OK to do this thus increasing the likelihood of others doing the same.
- By doing this they are teaching the users that clicking on an e-card that seems to comes from someone you know is OK, even at work.
- By doing this they are reducing the effectiveness of company policies. (Unless something is done which is out of my realm of responsibility).
The good thing is that this will give me opportunity to ensure that this and similar issues are addressed in a way that ensures that all understand the importance of following policy and practicing safe computing. Plus it will add to my UA Training listing.
