Allow Lists and Aligned Communications – Why CIOs Can’t Turn a Blind Eye to Companies That Want to Send All Emails Without Security
Healthcare IT Today
One of the calls that a CISO hates getting is the one from a customer who just received documentation from a vendor they have contracted to allow all of their emails coming from a certain domain through to an allow list so they don’t end up in the spam folder. The reason why we dislike these calls is because we have invested significantly in adding protection. This is because a significant amount of the Phishing, Business Email Compromise, and Malware emails come from computers that don’t have email security controls or are set to bypass them.
Asking us to remove protection for a domain is asking us to give an avenue to allow phishing emails in from it that put the entire network at risk. Many of us discuss disciplining team members who click on the links in phishing email tests. However we don’t hold the team members who bring in third parties to send bulk messages to the workforce that bypass security controls accountable. These messages often have links to click in them that go to web sites that are indistinguishable from real phishing sites. This is an incongruence we have to also address.
Any message that comes from...