Out of Office Blues

It may be so much standard practice that nobody ever thinks twice but goes along with it, totally oblivious to the risks and implications. I am referring to those seemingly harmless out-of-office notifications. Consider this (sanitized) auto-reply email I recently received from a client:

"I am out of the office on a family holiday in Fiji till 6 May and have only intermittent access to my emails. Please contact my secretary, Suzie Mo directly at XX or suziemo@company.com for assistance. For urgent project-related matters, please contact my department head John Doe at XX or johndoe@company.com. For invoices and other financial matters, contact Annie Ting at XX or annieting@company.com."

Many in the corporate world have used those out-of-office auto-replies at one point or another. I often receive an avalanche of such notifications over the Christmas or holiday seasons. But how much information should you really reveal in such innocuous messages, which are usually automated and forwarded to whoever sends you an email in the first place?

I am always amazed how IT administrators and company policies are not controlling or putting a stop to these reckless habits, which seem no different from distributing flyers of personal and company data at the subway station. What is the need to know basis? It is even more disturbing to find that bankers and lawyers are among the worst offenders.

Consider how much sensitive personal and company information as well as chain of command details are automatically and unnecessarily revealed to the world in this reply.

Do you really need to tell anyone and everyone why and when you are out of the office and where you are exactly, which is also implicitly saying you (and your family, in the case above) are not at home? Coupled with the kind of information one posts on social media sites like Facebook and Twitter, it is a reminder to burglars of an open house.

The chain of command details and accompanying contact coordinates are nothing short of an invitation to cyber and social engineering attacks on the company, as such information leakage is akin to rolling out the red target for targeted attacks on high-ranking and high-value employees.

"They could [use that information] and contact a department of that company claiming to be the supervisor of that person and they could get that persons social security number if people aren't thinking on their feet", according to security expert Andy O'Donnell in a recent article by Scientific American.

In the corporate espionage sphere, such free information gives further ammunition to intelligence-gathering on targeted subjects.

Imagine sending a dummy email from a dummy account--and, to be absolutely safe, from a covered or disguised ISP address--to someone who is on holiday, to be promptly rewarded with an out-of-office response like the one above. It saves lots of gumshoe for the sleuths.

Telemarketers sending cold-call emails would also benefit from the windfall of additional data. And I assume hackers scouting for victims and zeroing on targeted prey would also be gleefully grateful.

One obvious way to prevent such risks is to stop using auto email responses, or to establish different out-of-office notifications to those within and outside the company.

Having said that, there is really no need to reveal excessive information in these auto replies. Be intentionally vague and say you are not immediately available and would soon revert. There is no need to explain why you are out of the office, where you are, when you are back, who one should contact and what are their contact coordinates.

And let's not forget many people who are unintentionally making the job of identity thieves a lot easier these days. I heard recently about an investment banker who mindlessly uploaded on Facebook one of his electric bills, which is full of personal information. It is information that could lead to having your bank account or your home cleaned out.

I cannot help criticizing users of social media sites. Personal details such as birthdates, names of siblings and parents, hometowns, educational history, etc. are sensitive personal data some people upload on their profiles. It may be good to share your background with online pals but in light of the recent surge in corporate espionage and cyber thefts activities, the cost-benefit ratio needs to be re-examined.

Just put it this way. If you weren't prepared to reveal such information to a live audience, why would you upload them for the world to know, especially when the latter leaves permanent marks in cyberspace?

Furthermore, most people in the corporate world are easily reached via their Blackberries or smartphones 24/7. Why are out-of-office notifications used in the first place?

(Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. Blog: http://vansonsoo.com A version of this appeared in The Standard of Hong Kong)