Desk is cleared off. Mug is washed and dried. Email inbox is at zero. You’re going to be away from the office for a conference or holidays for a few days. You’ll need a way to communicate that you are unavailable. You go into your email program and activate the out-of-office reply, just like millions of others do on a daily basis. But this simple function can have far-reaching consequences you might not expect. Let’s take a look!
So you’re going to be away from the office.
Of course, you need to let colleagues, customers, vendors and even friends and acquaintances know you’re skiing in the Alps on holidays or attending a business conference, and how soon you’ll be able to respond to their message.
Right? That is the responsible thing for a professional to do. But lots of people go further.
You want to make sure people are taken care of in your absence. So your auto-reply also shares how long you’ll be away and when you plan to return to the office.
Since you either cannot or will not want to respond to emails while you’re away, you add a way for people to contact you in an emergency, often your mobile number. More likely than not, you also include your boss’s or colleague’s name and contact information.
The road to hacking is paved with good intentions!
That’s a lot of information in a simple out-of-office reply. Too much information, according to cybersecurity experts.
These experts warn that we give out far too much detail in our out-of-office reply messages. This can cause safety issues for individuals and organizations. Out-of-office information can be particularly valuable to black-hat hackers and scammers, who want to perform social-engineering attacks on companies. Social engineering is an attack vector that relies on human interaction and involves tricking people into sharing more information than they usually would. Appeals to vanity, authority and greed are often used in social engineering attacks. Many social engineering exploits rely solely on people’s willingness to be helpful. An example of a social engineering is a hacker sending an email to an employee saying they urgently need specific information.
With a standard out-of-office reply, you just made it very easy for social engineering hacks to take place. With no real effort, the spammer now knows essential information about you and the company. Additionally, you have just shown spammers that your email address is valid, which opens another avenue for them to blanket your organization’s servers with useless and harmful email traffic.
Automatic replies don’t need to be your automatic strategy.
Choosing not to use an out-of-office reply is an option. Is this heretical to even contemplate? Maybe. But in some circumstances, you don’t need an auto-reply at all.
If you’re checking emails, voice mail and text messages when you are out of the office, for instance if you are away at a conference, an auto-reply may be redundant. Similarly, if you are in sales and spend most of your time out of the office, do you need an out-of-office reply when everyone assumes that you’re on the road visiting clients and vendors? Most likely not.
If you don’t want to use auto-reply, but you can’t just leave your inbox unmanaged either, you can delegate a co-worker or assistant to check your emails. This may be hard for many professionals to do, but it works! Give your chosen substitute the authority to respond on your behalf, manage and delegate to others, and delete spam and irrelevant emails. To keep you in the loop, they should set up folders within your email client named Follow Up When Back and Dealt With.
Of course I’m referring to professional situations. If you are away on holidays or due to a birth of a child or prolonged illness, then a simple response is warranted since you won’t be checking emails and you won’t be back to deal with them soon. In case of emergency, your colleagues will know how to get in touch with you.
Sometimes, though, auto-reply can’t be avoided. In those cases…
Put systems in place to guide you.
Every organization should have a security policy that includes rules about what information should and shouldn’t be disclosed in an out-of-office reply. For instance, you may be required not to reveal your chain of command or give out a personal mobile number.
Follow the corporate guidelines as a starting point. From there, you can work with your IT department to set up your email client to send two different messages. Create one message for internal email addresses that provides more specific information, and a second one that sends a less detailed reply to external email addresses such as those of clients and vendors.
That second message should be intentionally vague. The rule of thumb is if you wouldn’t share this information with a stranger on the train, then don’t put it in an out-of-office reply. Simply say you are unavailable at the moment but will reply soon.
Out-of-office reply defines the 1990s while IM/chat is the 2000s
While you are deciding whether or not to use the out-of-office reply, don’t forget that in addition to email, many employees use collaboration tools with IM/chat functionality on their smartphones. That doesn’t mean out-of-office replies have become less important; they are still a good tool for interacting with those who prefer email as their communication channel. It just means that with today’s global communications technology, no-one is entirely off the clock when it comes to work. Of course, staff can switch the settings to “invisible” on IM/chat apps, thus not accepting contact. But having access to IM/chat apps allows the office to get in touch quickly in case of an emergency. You might want to keep these apps for office use only and not share them publicly in your out-of-office reply, as a way to limit work from creeping into a holiday.
Out-of-office replies are best when used sparingly and carefully. Take the time to develop a system for deciding when an out-of-office reply is needed and how best to compose one. That way, you can enjoy your holiday or professional outing stress-free and without compromising your organization’s security.
Latest posts by Anne Marie Van Den Hurk (see all)
- To Out-of-Office Reply or Not to Out-of-Office Reply - April 23, 2018
- Spanning the seas to keep your teams rowing in the same direction - March 19, 2018