For years I’ve understood that email generally is not secure, and I’ve done my part to make it secure for Fluid and our clients – but a recent series of events opened up an entirely new challenge that I never saw coming.
Email, By Default, Is NOT Secure
Some people know this, but many more still don’t: Email is not a secure way to send and receive information, unless you take specific actions to make it more secure.
When you send information in an email, the contents of that email are wide open for anyone to see as it travels the Internet maze of information highways. This holds true for attachments sent along with email too, even PDF files with passwords are not completely secure.
This becomes very real and very scary when you consider how many people and companies actually use email as their file-sharing tool. These folks send attached documents with private information, social security numbers, credit card information, financial spreadsheets and even proprietary intellectual property. Even today with all the well-publicized data-security breaches, we still see clients sending complete financials, social security numbers and credit card numbers in email.
It’s Not If but When
If you or anyone in your company uses email as described above, it is only a matter of time before it falls into the wrong hands. Of course at that point it’s too late and everyone will be scampering to find your email security policy and procedures while pointing fingers. “But it wasn’t me!” Yeah, tell that to the auditors.
Email Security Requires Layers of Solutions
So how do we handle that private information that gets haphazardly slung around the internet? The easiest and most common way is email encryption. If you have ever received an email that instructed you to go to a website, then log in with an ID and password to finally retrieve your email message, you have been on the receiving end of email encryption.
Encryption will encrypt the email message and attachment and determine if the recipient is using an email service with encryption turned on. If the answer is no, and the recipient’s encryption is turned off, it will force the recipient to go to a secure website to retrieve the email. Financial firms often use this to send information to their clients for obvious reasons.
It may be a hassle to do all that extra clicking, but it should be worth it knowing some pimply guy in Kazakhstan isn’t draining your retirement account for his new PlayStation 4.
Email encryption is only one layer, though…
Most viruses are delivered via email!
We’ve only touched on private information, but what about viruses and other malicious “stuff” that gets delivered via email?
Get this: 20-30% of email contains viruses. Approximately 99% of computer virus infections arrive via email. By far, email is the biggest reason our clients’ systems get sick, which is why we are so diligent and passionate about email security.
The bad guys use attachments and other means to infect your machine and your company network using email because they know everyone uses it, depends on it, and worse, doesn’t take the time or have the discipline required to keep it secure. Hackers and their robots are working 24/7/365 to exploit your systems using email.
So what to do about it?
If you have ever received an invitation to a Viagra conference, or an opportunity to help a “stranded relative” in Africa by sending $10,000, you’ve experienced spam.
It’s gotten so bad that 70% of all email is now spam. Most email providers know this and provide a spam filtering service to attempt to weed out those unwanted emails. This is a never-ending cat-and-mouse game – set the spam filter too tight and you don’t receive important, legitimate emails; set it too loose and you get hundreds of spam a day.
Having a strong spam filter solution that can stop spam AND scan for viruses (and stop those as well) is a must in today’s world. If you’re not sure what your email provider is using, ask them.
A good spam filter service that does both spam filtering and virus scanning and detection are what we would call email defense.
So What Was the Startling Event I Didn’t See Coming?
We recently enhanced our email defense software here at Fluid to be able to scan for and automatically encrypt emails that contain things like social security numbers or credit card numbers. The idea was that our clients wouldn’t have to remember to encrypt those emails – our system would automatically do it for them.
Really cool stuff, I thought; a system that is looking out for me to keep me out of trouble. We would all love that right? Wrong!
Houston, we have a problem!
After releasing the security enhancement to auto-discover private information and auto-encrypt emails, we found that although some of our clients didn’t like the extra steps required to open their encrypted emails, the worst part was that their customers that were screaming at them.
Our clients were sending private and personal information to their customers and the customers didn’t like having to go to a separate website to open email. They demanded that this evil encryption monster be turned off.
Think about that. You are trying to protect your customers’ private information from being broadcast wide open on the World Wide Web and they don’t want any part of it. This puts you in quite a pickle. Do you turn it off and know you are not secure or do you tell your client no, and insist they do things your way?
Enter the geeks. We found a workaround that worked really well for some of our clients. For those clients who wanted a different solution, our team was able to set up the encryption system to look for certain keywords (like “encrypt” or “private”), and then automatically encrypt just those messages. So our clients were able to turn off the automatic encryption and then simply type the word “encrypt” or “private” in the subject line of the email and it would trigger the message to be encrypted.
Yes, our clients’ email recipients, the screaming customers, still had to go to that special website to see the encrypted messages, but our clients might have just saved those customers thousands of dollars by preventing some guy in the Balkans from purchasing PlayStation 4s on their dime.
With email becoming THE most important business application in use in every industry and in every company, you must at least understand the basics of email security. Email, by default, is not secure and using it to send private data is not a good practice unless you have a solid email defense system AND an encryption solution to protect your messages.
Although these extra security measures might be a slight inconvenience, if you take the time to educate your customers and your coworkers about the real risks and how you are protecting them, they may just pause a minute before they scream.