Would you yell out your front door or garage remote code, slowly, digit by digit in front of your house as you leave for vacation? Of course not! Yet, hundreds of thousands of emails are sent per second by businesses that contain data that could be used to hurt them or their customers and it’s all ripe for the picking.
Email travels between server centers as plain-text so they can see the intended destination and keep it moving along its path. In simplified terms, a rogue server could intercept all of an email’s contents, including attachments, and read them like a veritable book.
This isn’t meant to alarm you but alert (or remind) you to the fact the email isn’t a secure means of communication. This is particularly important when you are sharing information outside the relative safety of your company’s email domain. What follows isn’t meant to be a technical discussion but a means of starting a conversation about how you should secure your sensitive email communications.
Ways to Keep Emails Secure
There are hundreds of great articles out there detailing how email communications work and the protocols involved. For the purpose of this post, let’s assume the following:
- You know email isn’t secure and you’re worried about when it is and isn’t safe to send sensitive information
- You have a business need to either encrypt email contents between parties or verify the identity of email senders and recipients (including yourself). “Business need” = there is a financial impact worth investing your time and/or money into a solution
- You don’t use a public email domain for business purposes (e.g. firstname.lastname@example.org)
1. Use Internal Emails Only
Most often, mail server administrators stumble into basic, default security keeping email between employees in the same organization within the server. In other words, the best way to make sure no one else outside of the company can read an email, is to make sure the email never leaves the company. This doesn’t guarantee anything else, mind you, including keeping those emails from being copied elsewhere but it’s a good practice to flag email bound for external consumption (such as a customer service ticket response) as such so employees remember that whatever is said in that email could potentially be shared with the world.
1.5. Sending Emails on Same Host
Most of our customers use professional hosted email services, namely Microsoft Exchange Online (standalone or as part of Office 365 Business Premium) and Google G Suite subscriptions. For them, they not only can email anyone in their organization without it leaving their servers but can send to their customers that happen to have their email host in common. For Microsoft Exchange users, that includes @hotmail.com, outlook.com and many others. For G Suite, that includes @gmail.com, by far the most popular public email address today. Just like these customers, there may be other partners who also use their same host, but this isn’t very obvious (though trivial to figure out). While the caveats for #1 apply, at least sending messages between same host addresses means your email isn’t passed around the open internet for all to see. Yet.
2. Digitally Signed (Verified) Senders
While this doesn’t guarantee email contents are secure (as in not able to seen by others), it does mean that email between parties can be reasonably guaranteed to be the actual parties, once a business relationship has been established. This type of communication can be very important when dealing with litigation, communications under HIPPA regulation or even in contractual communications, such as signing for a real estate transaction. In a day when email spoofing is rampant and can cause real damage when someone else’s email can be hijacked, this is a great way to make sure you are dealing directly with trusted business associates.
3. Email Encryption
The very nature of the internet is not secure as several decentralized resources pass bits along. The safest form of online communication is to not be online at all. Barring that, the next best thing is to encrypt traffic between parties; in this case, you and your intended recipient. Though this can be a very complex solution to roll out, there are several providers out there that can greatly simplify the process to something you almost don’t even have to think about. Online security is always at much greater risk in the absence of vigilance but turn-key is the name of the game when it comes to consistently practicing safe computing.
You don’t have to host your own email server to take advantage of this much more robust form of email as there are services that work with Office 365 and G Suite. They can be pricey but let’s remember that all-important “business need” (myriad of ways a breach of security costs thousands of times more than the security measure costs).
4. Inbound Filtering
As savvy as you or your CTO might be, you’re only as protected as your most vulnerable user. And with their increasing levels of sophistication, email phishers, spoofers, malware and ransomware attackers are fooling even IT professionals. Public email providers are increasingly improving their offerings but this is a classic example of you get what you pay for. While G Suite customers may enjoy a better-than-average protection through sophisticated Googler-spawned algorithms, they simply cannot keep up with dedicated services who have human analysts overseeing and updating their database of suspicious activity. Many of these higher-end services also provide nominal protections when you experience a financial loss because they missed something and even more when you pay them extra! No IT security strategy is complete without this important piece but nothing beats regular, mandatory training for your entire company (yes, even you Mr. CTO).
Educate yourself. Get with a trusted IT partner or your own IT security department (try the network support department if you don’t have a dedicate security team). Stop sending emails that can be considered sensitive until you follow a trusted, well-vetted strategy. Always ask yourself: if anyone saw this, what could that cost me? If that’s any kind of a decent number, you really need to not put this off any longer.
As always, I’m happy to direct you to a good partner and welcome your comments below.