We have all done it.

Who has not sent authentication credentials over an insecure channel in lieu of a doing it properly via a secure out-of-bounds circuit? With a high degree of certainty, just about everyone who reads this has done it at least one throughout their career.

Often, this decision is rationalized via a partial (often skewed) implicit risk assessment that probably looked somewhere along the lines: "The chance that someone intercepts this message, AND that the recipient does not change his password in a timely fashion to a properly complex pass phrase is low enough that we can do it this time". And the next time, and the next time, ad infinitum.



Rebecca Herold wrote a post on this topic, and nails it on the head:

Your organization is ultimately responsible for the appropriate
safeguarding of all PII you collect, process, store, and otherwise
handle. Even if your customers tell your employees it is okay to send
them clear-text PII in email, IMs, or even text messages, it is not
okay if you have a policy that says it must not be done.

What
she is really saying is that it is not the individual's decision to
make. When working for an organization, you must practice due care and
due diligence. Since the organization you work for is responsible for the actions you take, you can bet that the organization you work for will extend that liability right back to you.


Security policies are there for a purpose; hopefully
they were written by people who know what they are doing and who have a
clear understanding of the organization's exposure and willingness to accept residual risk in information security.

Do not fall for the (all too common trap) that lurks when you work
in operations; senior management might not always know better, but they
are the ones who are in charge and who are responsible in the end.