Email Security
Would you send out postcards to your clients with their social security numbers, bank accounts, and credit card information written on the back? Of course not! But every time you send an email that has any of those pieces of personally identifiable information in it, you might as well just drop a postcard in the mail instead.
Securing your email is not just about having a safe password for your email account – password security is important, of course, but it only protects your local email account. Emails that you send out bounce from server to server on their way to your client and back again. Each hop made along the way is an opportunity for someone to intercept your email and steal the information contained within. Making sure your internal network is protected, with firewalls and anti-virus is vital, because it protects your internal data storage from malicious attacks. But even with the most secure internal network, once your data leaves your network, in an email, for example, you have no control over the security of the networks and servers it passes through – and you also have no control over the protection methods your recipients are using either.
As noted in ‘Email Security and Anonymity’ on AnonIC.org (http://www.anonic.org/email-security.html), there are an alarming number of ways that email can be intercepted or hacked:
- Keylogging software is the easiest way to hack email – the software can be loaded onto your machine remotely, and it operates silently in the background, with no way for you to know that every single keystroke you make is being captured and potentially exploited by a thief.
- Email headers contain information that is extremely useful to a hacker. While you typically only see the ‘From’, ‘To’, and ‘Subject’ information in the header, there is actually a wealth of other information that a hacker could use to intercept your mail – including your IP address, local time zone, and even the email software you are using (knowing the software version you’re using gives thieves the opportunity to exploit known bugs).
- Web Bugs are tiny, virtually undetectable images that hackers insert into HTML-formatted email, which, when the email is simply opened, send information about your system and email software to the hacker. The worst part is, you don’t have to click any links to enable it – just opening the email downloads the image into your email client.
- Network Traffic Interception is the technical term for “sniffing” or monitoring the traffic that travels through the internet and reading the packets of data as it moves through its intended route. As it applies to email, once you press the send button your message is transmitted through a host of servers on the internet before it arrives to your intended recipient. All along that path, hackers can monitor the data packets moved along the route to decipher the information you are transmitting in your message. They may not be targeting your specific message but if it travels along a path that is being monitored, you are now at risk.
Any of the above methods can be used without ever having to actually hack your email password. Before transmitting any data outside of your own network, ask yourself the following question before using standard e-mail.
Does any part of the email contain personally identifiable information (SSNs, bank account information, financial data, etc…)?
If there is any shred of doubt that a compromise of this information may result in identity theft, stop right there. If your company has a secure way to transmit this information outside your internal network utilize this option. If not, discuss the need for a secure alternative with the decision makers of your company. Utilize the following arguments to help the decision maker realize the need and urgency for such an alternative:
- Consumers have repeatedly identified their desire to choose to do business with companies that take the security of their personally identifiable information seriously.
- In 2009, the cost per comprised record of data reached $204. If you utilized standard email to send a file with only 250 records of personally identifiable information, your estimated total cost if this file is compromised would be $51,000.
- Laws have been enacted requiring the transfer of personally identifiable information over the internet be conducted via encrypted mechanisms. For some specific references, see Nevada NRS 597.970 and Massachusetts 201 CMR 17.00.
What Options Are Available for You to Protect Yourself?
- Email encryption. One way to try to secure your email transmissions is to encrypt all outgoing emails. While encrypting your email transmissions helps in protecting the data you send out, it can be cumbersome, because your recipients must be able to decrypt your emails, or they won’t be able to read them. And just because you’re using encryption on your outgoing mail, all incoming mail, including reply emails, won’t be encrypted unless the recipient is also encrypting outgoing mail.
- Secure file transfer service. The best way to guarantee the secure transmission of the personally identifiable information you transmit over the internet is to use a secure file transfer service. Most of these services are as simple as writing an email with the assurance that files transferred are done securely and put your company in compliance with enacted laws. Some don’t require any hardware or software investment which can have you up and running within a matter of minutes. Most secure file transfer services cost less per month than a single compromised record and some even include a secure encrypted file storage capability to store sensitive files offsite and encrypted.
So the next time you’re not sure if what you are sending someone is ok to send through email, ask yourself – would I send this on a postcard through the mail? If the answer is no, then don’t hit the Send button!
Article by SHUGO.