Email (In)Security or Why Normal Emails are Like Postcards

In this article I’m going to talk about why you should never use normal email for sending sensitive information, especially to recipients outside of your organisation.

Email Isn’t Secure

The reason for this is quite simple.  Email, by default is not a secure method of communication.

A standard email is essentially the same as using a postcard. If you imagine sending a postcard then you know that anyone who sees the card can also read the information you have written on it.

When you send an email, anyone or anything that is between you as the sender and the intended recipient can read the content of your message including any attachments.

Might as Well Use a Postcard

In the same way that a postcard sent from Greece to someone in the UK is handled by many people and systems, so is an email you send or receive to or from external sources.

Your postcard will be handled by lots of people and systems, from postal workers collecting and delivering the postcard, to all the sorting offices, airmail and transportation systems that move it between sender and recipient.

This is exactly how email works. After you have written your content and clicked send, it too goes through many different systems before it reaches the recipient.

The difference is that, due to the way the internet works, you have virtually no control over how or where it goes, meaning it could go through lots of unknown and potentially hostile systems before it gets to where it’s going.  And any one of these systems might take a copy or have a look at the content before passing it on to the next system.

So before you send an email containing sensitive information, just stop and think – would you write what you’re sending on a postcard?

If you want to send sensitive information and have to use email there are ways and means of doing so, it just takes more effort and consideration.

You Need to Encrypt Sensitive Information

The simplest way is to use some basic form of encryption. What this means is that you scramble the content of your message so that only you and the intended recipient can read it.  Even if others en-route can see the message, who it is from and who it is to, they can’t actually read the content.

It’s the equivalent of sending your information in a sealed envelope instead of on a postcard.

Option 1: Message Encryption

To do this however, you must have the right technical solutions in place to enable the functionality and support the production, management and distribution of digital signatures.  If they aren’t in place then you can’t wrap your emails in an envelope.

I recommend speaking to your IT Support Team to discuss the setup and use of email encryption. They should be able to facilitate this functionality and provide you with the tools and email client add-ons to enable you to send and recieve encrypted emails.

In addition, they should also ensure you are using Transport Layer Security (TLS) for access your email server from all your devices. If this isn’t enabled and configured, then all of the communications between your device and the email server can potentially be intercepted, including usernames and passwords.

Which leads us to the final option of packaging up your sensitive information before you send it.

Option 2: Attachment Encryption

You can place your sensitive information in an attachment such as a document or spreadsheet. Then before you attach the document you use a tool such as Zip, WinZip or 7Zip and create an encrypted archive that encapsulates the attachment, setting a strong memorable password that allows access to the zip archive.

Once you have created the encrypted archive, attach it as normal to your email and send to the recipient.

Obviously, you will need to provide the intended recipient with the password. This should be done “out of band”, via a phone call, a text message or some other means NOT using email.  Certainly DO NOT include the password in the email with the attachment!

For more information on email security visit www.SecureThinking.Academy

Comments are closed.