back to article When selling security awareness training by email, probably a good shout not to hit 'reply all'

Oh the irony. A channel account rep trying to drum up business for security awareness training scored an own goal this week when he pressed the send to all option on an email to prospective clients. The rep, Charlie Hollinrake, works for KnowBe4, which describes itself as the "world's most popular integrated Security Awareness …

  1. Halfmad

    Holland was clearly making a point..

    and I'm glad he did as otherwise everyone else would have been itching to do it anyway. However one of the problems we have with modern e-mail clients and e-mail on the web is that BCC is increasingly hidden away to keep the interface clean, so even when staff know what it is they can't always figure out how to get access to it.

    1. Steve K

      Re: Holland was clearly making a point..

      Could you mitigate this with an application-level security setting/GPO (on by default?) to BCC for corporate email clients so that you have to actively move addresses to the TO/CC field if that's really your intention.

      It would not make it fool-proof (particularly if the addresses are in a Distribution List like "Conference Follow-up Contacts") but would catch a lot of these gaffes before they are made.

      Steve

      1. John Robson Silver badge

        Re: Holland was clearly making a point..

        Could you mitigate this with an application-level security setting/GPO (on by default?) to BCC for corporate email clients so that you have to actively move addresses to the TO/CC field if that's really your intention.

        If sending to more than three people (or more than 1 domain) then any decent client should default to BCC - and do so visually...

        1. FrogsAndChips Silver badge

          Re: Holland was clearly making a point..

          If sending to more than three people (or more than 1 domain) then any decent client should default to BCC

          In my organization we frequently have triparty exchanges where everyone could contribute. BCC-ing everyone would just make it impossible for people to know who they need to reply to. But I agree there should be a soft or hard cap on the number of recipients, above 10 you can be almost sure that some people don't belong in a discussion.

          1. This post has been deleted by its author

          2. david 12 Silver badge

            Re: Holland was clearly making a point..

            Those users who need reply all should have the clear option of choosing it, or setting it as default. For the reset of the world, 'reply all' should default to BCC, and the target should reset to equal the sender. So that people who have mail set to hide any not-directly-addressed email don't even see it.

            And that should be the case whenever the 'reply all' list is longer than zero. Because that will make the behavior consistent, which will be helpful for people who don't really need to reply to everybody using open addressing, and also helpful for people who need to remember to choose the correct option when deliberately replying with open addressing.

            1. Michael Wojcik Silver badge

              Re: Holland was clearly making a point..

              Those users who need reply all should have the clear option of choosing it, or setting it as default.

              For many organizations, that would be "all users". The snowballing-reply-all-conversation pattern is culturally entrenched in many places.

              For the reset of the world, 'reply all' should default to BCC, and the target should reset to equal the sender.

              Then each responder ends up adding everyone back in again. That's not an improvement.

              I agree that email discussions among a dozen people are a poor way to communicate. But as I said, it's culturally entrenched in many places. Until you change the culture, there's little to be gained by changing the interface, except possibly to add confirmations with good heuristics (so users don't simply become trained to click through the confirmations).

          3. veti Silver badge

            Re: Holland was clearly making a point..

            In my organization we frequently have triparty exchanges where everyone could contribute.

            One word: wiki. Email is just a silly medium for those discussions.

          4. John Robson Silver badge

            Re: Holland was clearly making a point..

            >>If sending to more than three people (or more than 1 domain) then any decent client should default to BCC

            >In my organization we frequently have triparty exchanges where everyone could contribute.

            That's fine - three people in the same organisation wouldn't even trip my filter.

            BUT if you sent it to ten people, then you would have to tell it that you really wanted it to be clear to all.

            IF you sent it to multiple external domains then you would have to tell it that you really wanted it to a screwup.

            Maybe three is a bit tight for some organisations, I'm only suggesting a default.

        2. Flywheel
          Facepalm

          Re: Holland was clearly making a point..

          any decent client should default to BCC - and do so visually

          Aha! That sounds like a job for Clippy. "It looks like your making a f*ckup - would you like some help with that?".

    2. Dan 55 Silver badge

      Re: Holland was clearly making a point..

      You wouldn't happen to be talking about that intuitive UI widget, the ribbon, being used to enable options that are hidden just to save one row further down, would you?

    3. Hans Neeson-Bumpsadese Silver badge

      Re: Holland was clearly making a point..

      Holland was clearly making a point..

      and I'm glad he did as otherwise everyone else would have been itching to do it anyway.

      Agreed - I would have done the same thing.

      And, depending on what sort of mood I was in, I might also have cc'ed a copy to the ICO

      1. FrogsAndChips Silver badge

        Re: Holland was clearly making a point..

        He could (and maybe he did?) have replied all but moved everyone except the original sender to Bcc, thus doing his best to avoid reply-to-all-geddon. That's how you make a point and show how it's done.

        1. GnuTzu
          Thumb Up

          Re: Holland was clearly making a point.. -- Button, Button

          "...but moved everyone except the original sender to Bcc"

          Ohhhhhh, I definitely want a button for that.

          I'd make one--if only VBA were not one of the most horrendously dangerous features of Outlook (and Word, and Excel, and...).

          BTW, voted up this entire chain of comments. Email interfaces need to be designed for safety and not enable, even foster, impulsively dangerous behavior. I'm sure many of us have fallen pitfall at one time or another despite reasonable levels of vigilance--the very reason I've so pissed off that UI designers need some training in social engineering. Imagine how dangerous it is for those with no restraint what-so-ever.

    4. Doctor Syntax Silver badge

      Re: Holland was clearly making a point..

      No, just asking all the others to remove him from their recently acquired mailing list.

  2. tiggity Silver badge

    non BCC - the gift that keeps on giving

    But even better from a security snakeoil company

    Depending what they are using for emails, set up some rules to prevent this. If the email solution dos not allow mail server (be it on prem / cloud) to be configured this way then find a solution that does...

    Alternative is mail client that plays safely (but want server solution as nothing to stop someone using alternative email client and circumventing client based bcc enforcement)

    If a user can accidentally cc in a list, sooner or later they will (even the dedicated, competent and careful can mis-send after a long & stressful day) so it needs to be set up to not leave the mail server.

    1. Michael Wojcik Silver badge

      Re: non BCC - the gift that keeps on giving

      I wouldn't call KnowBe4 "a security snakeoil company". While they're heavy on the self-promotion (but then you can unsubscribe), they provide a reasonably competent version of a couple of useful services: phish testing and employee email-security training. Those do seem to be productive, and contracting with a vendor like KB4 is generally cheaper and less hassle than developing them in-house.

      It's not like KB4 are peddling magic encryption or the like.

      And while this incident provides a rich vein of schadenfreude, it doesn't really reflect on the quality of KB4's offerings. For one thing, Reply-All misuse isn't one of the main vectors their training targets, as far as I remember; and for another, they don't promise they can train all your employees to perfection, so it's not reasonable to expect perfection from theirs, either.

  3. fnusnu

    Bit rich of El Reg to have a pop seeing as radarone.co.uk (whose security whitepapers they flog) had an expired certificate when I went to their site a couple of weeks ago...

  4. julian_n

    I would start by pointing the finger at Office 365.

    It's default reply is reply all, not reply - along with a whole load of other nasties!

    1. DJV Silver badge
      Trollface

      Nasties?

      Shirley, you mean "features" in MS parlance. At least with Office 363.5 there's a good chance your non-BCC, Reply All email will fail to go out because Office 362.4 happens to have just had one of its regular TITSUP sessions.

    2. FrogsAndChips Silver badge

      That's true for O365 webmail (and can be changed in a single click). In Outlook the Reply and Reply-All buttons are the same size, Ctrl-R is just Reply, you need Ctrl-Shift-R for Reply-All.

      Actually 95% or so of my replies are Reply-All, so I wouldn't mind it being the default. I just happen to know when I'd better do a simple Reply and when I should put recipients in Bcc (rarely, as part of my job).

      But sure, let's blame the tool rather than the users who still can't grasp a few simple concepts 20+ years after the email entered our daily lives.

  5. Anonymous Coward
    Anonymous Coward

    Crying here...

    We have just experienced a ReplytoAll-a-thon which is made all the more depressing as the addressee list was some large IT groups...even the people shouting 'Please stop using Reply to All' used that very Reply to All function without moving the names to bcc

    Time to switch careers to street-sweeper...just as endless a task but at least you get some fresh air

  6. not.known@this.address
    Facepalm

    They let him loose on customers BEFORE his own training?

    Barn door, meet horse... oh, too late.

    1. Valeyard

      Re: They let him loose on customers BEFORE his own training?

      BEFORE his own training?

      ahh i see you fell for that one. There was never going to be any security training for new sales droids...

      1. Doctor Syntax Silver badge

        Re: They let him loose on customers BEFORE his own training?

        "There was never going to be any security training for new sales droids."

        It wouldn't have made a difference - in one ear, out the other. As I've said before, having been on a training course doesn't mean trained.

  7. mikeymac

    IBM did this for subscribers to their Storage Insights platform a few months back. Hilarity ensued!

  8. Anonymous Coward
    Anonymous Coward

    Cold calls from security companies are always the best.

    It's a shit job cold calling people to sell them stuff so I always feel a pang of sympathy for them, but when they call me up asking about my security systems it makes it so much easier: "if you really were a company that deals with security you'd know I won't discuss that on the phone with someone I don't know. Sorry, byeee."

    1. Doctor Syntax Silver badge

      Re: Cold calls from security companies are always the best.

      But if you fall for it it gives them something to follow up on.

  9. Anonymous Coward
    Anonymous Coward

    GDPR?

    An Interesting thought, but is this not a breach of GDPR? After all you have publically identifie someone by name and workplace from a database (mail list) that is under your control.

  10. Anonymous Coward
    Anonymous Coward

    Pretty common

    I've seen bigger vendors make this same mistake: IBM, to name one. The New York State security notification list I'm on has made this same gaffe multiple times in the last 6 months. I have the email thread where they promise it won't happen again and then include the multiple emails from them where it did shortly after that...

  11. Will Godfrey Silver badge
    Angel

    Predicatable

    ... but not a problem I'll ever have. My email client simply doesn't have a 'reply all' feature, and was chosen with that very much in mind.

    OK, so I'm not a business with thousands of clients, but even so, by now there should be a separate system in commercial products specifically for sending bulk messages where and when wanted.

    P·S. I was going to say 'needed' but that's debatable anyway - needed by whom?

  12. ICPurvis47
    Boffin

    Reply to All button

    It is simple in the extreme to remove the Reply to All button from Outlook Express, simply right click on the blank portion of the toolbar, click on Customize, scroll down the list at the right hand side and highlight reply to All. Click on Remove and Close, and voila! no more reply to All button in the toolbar. Did this years ago on every computer I have come into contact with that used OE of any version.

    1. FastOlly

      Re: Reply to All button

      Outlook Express? Hello! 1998 called...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like