Writing effective, secure emails, Part III

Virtually anyone can read your Email in transit, including employers, the NSA, and hackers.

Why is email so vulnerable to hacking?

Your email can be read by others as easily as a postcard sent by snail mail. How so? It travels through numerous unsecured routers and mail servers on its way to the recipient. Virtually anyone can read it in transit, including employers, the NSA, and hackers. Moreover, mail servers automatically generate unprotected backups of email passing through. Consequently, every email leaves a digital paper trail that can easily be accessed even years later.

Some security professionals argue that the billions of emails transmitted on a daily basis make it unlikely that an individual hacker will locate and exploit any particular email. I would counter that with the increasing power of personal computers, less easily secured digital devices, and the growing sophistication/availability of data-mining software–this kind of ‘protection’ is temporary at best.
One thing is clear: there is absolutely no anonymity with online email providers, such as Yahoo! Mail or Google’s Gmail, and browsers that display context-sensitive advertisements based on what you have been reading. While such data mining is automated and supposedly secure, many IT experts have expressed concern about the long-term ramifications of this technology.

Employee email cannot be private

Do your employees know that their email is company property? They need to understand that email content monitoring helps protect an organization’s financial information, client data, employee data, unreleased products, and new marketing strategies. When such information is mindlessly forwarded by employees to the wrong recipients, irreversible loss and damage to an organization’s or individual’s reputation can result. The greatest vulnerability comes from hackers and industrial spies who use social engineering to trick employees into revealing critical data. …Which raises the issue of encryption. A few introductory words about that later in this blog.

Parallel threats you should be aware of–

  • Modification of messages–Email contents can be modified during transport or storage by a hacker using a spoofing tool like “ettercap.”
  • Masquerade–Bogus messages can be sent in the name of another person or organization.
  • Spoofing–Similarly, false messages/malicious editing can be inserted into the mail system of another user either from within a LAN or from an external source via a Trojan horse.

Training and best practices

A company needs to do more than just post email security guidelines. According to recent research, when an organization invests in effective training, the percentage of employees vulnerable to phishing and other nefarious tactics can plummet 90% or more. One study revealed that 15% of a company’s employees were at risk prior to training–after which there was a 12-folks increase in vigilance.

Compliance with government data privacy security regulations

Does your organization fall under federal compliance regulations? Many financial and health care companies do, as with, e.g., the Health Insurance Portability and Accountability Act of 1966 (HIPPA). Ignoring such rules is heavily penalized. –Even if compliance regulations don’t apply to your industry, take a careful look at them regardless because they provide a helpful model for data security. One recent cautionary example–a hospice in Idaho lost ONE laptop with a resulting fine of $50,000, a significant financial loss for that industry.

Encryption: First issues

I’m hoping that your company already has an encryption system in place to scramble email messages/attachments on your computers into unreadable code (which is then unlocked at the other end by a key). If not, do not use email for your most secure communications!

Internet encryption comes in so many forms that it requires a separate blog post. Some introductory background–

  • When your sensitive information, e.g., your social security number, credit card numbers, etc., is requested, encryption MUST come into play on any internet transaction. If not sure that such protection is in place, click away from the link!
  • Increasingly, more users are encrypting their private email accounts and documents, though this trend hasn’t yet achieved critical mass.
  • There is so much concern in the U.S. about NSA and even more pervasive private sector spying that some corporations are moving their operations abroad.

More Insights