Avoid a False Sense of Email Security
Email is not secure. Unless you explicitly encrypt your email message and attachments, the content of your email will bounce across servers and the Internet unencrypted, and in readable text.
Most people have a false sense of security when it comes to email. It is common for emails containing sensitive information, to be quickly drafted and sent to the destination address. It serves well to think of an unencrypted email as a postcard being sent through the postal mail. Each letter carrier can potentially read the contents of the postcard. With email, the same basic concept applies because the message, once sent and received, is likely to exist on at least two email servers, after passing through multiple network segments which could be prone to network sniffing. The origin and the destination.
What Sensitive Information?
In context of what would be considered sensitive in an email, and knowing that this definition can be interpreted differently for various purposes, here are a few things to consider.
- Social Security Number - Simply put, don’t put this in an email. Find a better and secure way to communicate the information.
- Passwords
- Financial Account Numbers - When communicating on financial matters, avoid the temptation to use email as a means of relaying Account Numbers.
- Sensitive Personal Information - This is variable, however to give a brief example, sending an email with medical record information exposes a risk.
- Confidential Business Data - Government or business entity that may be dealing with confidential and secret information likely would avoid using email for Classified information.
Who is Responsible and What Can Be Done?
“53% of all executives and messaging professionals surveyed indicated that they feel their IT department is the primary department responsible for communications security and compliance. Only 18% of survey participants felt that security and compliance accountability rests equally with IT as well as end-users.” (2008 Annual Google Communication Intelligence Report, February 2008)
It is clear by the statistics shared by Google in their Intelligence Report favors the view that the IT Professional is expected to have a strong part in mitigating risk for a organization, but ensuring the proper system is in place to handle sensitive email messaging. The complex job of doing this is often done with the use of complicated email gateways. These are typically host yourself solutions and handle the content rules and disclaimers on an in house server. Of course, Google with their Google Message Security (re-branding of Postini) offering would like to see organizations outsource their complex systems in favor of the Software-as-a-Service (SaaS) model.
Business entities need to weigh the pros and cons with approaching a SaaS model, asking questions such as, Do we trust this vendor to hand hold with our sensitive information? In the eyes of a compliance and legal viewpoint, and smart ethical logic anyway, the best way to protect your information is to do it yourself. This does often come with a price attached to it as hosting it yourself solutions take a higher overhead, obviously, and requires more time and resources. In the end depending on the sensitivity and demand, this may be the only solution.
Begin Increasing Email Security Now
Email encryption is mature and has a plethora of options and methods to achieve relatively “safe” email messaging. Besides the SaaS model, a company will benefit from looking at ways they can achieve this with the software they already use daily. Microsoft Outlook has built in email encryption capabilities, by making use of Public Key Infrastructure (PKI) technology. Mozilla Thunderbird has Enigmail , to utilize OpenPGP encryption. Encryption of a file, before being attached to an email, can easily be achieved using public keys and OpenPGP encryption. For useful command line capability look to GnuPG, for a useful GUI in a Windows environment, try Gpg4Win. PGP Corporation has corporate enterprise software that can be deployed throughout a firm to utilize PGP encryption on a larger scale.
Although these are not the only options to encrypt email messages and attachments, they are the basic “standards”.
What Does the Future Hold?
It will be interesting to see what the future holds for email in general. Will it be used in 5 years the same way we all use it now? Likely not. As for the focus of this article on email security, the good is that organizations are beginning to see the light on taking email security serious. Government regulations and laws, as described in a Postini sponsored research document available here (.PDF), will keep businesses in check. On the other hand, daily it is still abused and exploited. Creative but firm policies are needed by organizations to keep their employees on top of the dos and do nots of the email lifestyle, all at the same time the IT Professionals will keep doing their job fighting the good fight.
3 comments
You’re dead on about the risks and the post card analogy is very popular. I think that we sometimes forget about the risks to our personal security and that many email encryption providers are targeted towards business users exclusively.
We’re working on our own technology for easy to use email encryption accessible to everyone, free. You may want to check it out sometime at http://www.trustmesecurity.com
Use of Identity Based Encryption is on the rise and should also be considered. There are web services based on this technology such as the Voltage Security Network
http://vsn.voltage.com
This type of service doesn’t store any messages. It just manages the encryption and keys for you.
You are correct, running your own email server is more secure but only if you have the resources (mostly technical) to do it well. Otherwise, you are better off outsourcing to a company that specializes in secure email hosting. A partial list of such companies can be found at http://www.novo-ordo.com along with more information on the topic of email privacy.
Leave a Comment