Posts tagged ‘Security’

The Check Is in the E-Mail?

The recent headlines about the hacking of Republican Vice Presidential Candidate Sarah Palin’s email has brought up some interesting questions about the security of email for use in small business. An amazing amount of business is being transacted over email every day. According to a study by the Radicati Group in 2008 (as cited on About.com) there are 218 billion emails sent per day. (Tschabitscher 2008) A Pew Internet study estimates that 57 million American adults are “work emailers” that use email for daily work tasks. 62% of all employed Americans have Internet access and 98% use email on the job (Fallows 2002). Radicati Group estimate that there are 516 million business inboxes worldwide. “Gartner [Analyst Group] figures reveal 84 percent of high-cost security incidents occur when insiders send confidential data outside the company without properly securing the data… a quick hit of the “send” button could result in a competitor getting hold of confidential product-launch plans, the exposure of customer Social Security numbers, a premature leak of corporate financial information or patient medical records being revealed to the masses.” (Robb 2007)

How secure is email?

Many folks use email as if it is secure and safe from individuals with malicious intent. They are misled into a false sense of security by the fact that they must log into their email. Web mail uses a secure login page, but then email is often accessed over an unsecure server. The truth is that sending information over email is about as safe as sending it on a postcard. For an eye opening illustration of what postal email would be like if it had the same security as email, see http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci521107,00.html.

Republican Vice Presidential candidate Sarah Palin’s email was not accessed in this way, however. Her email was accessed by the perpetrator after he researched her personal life and then took stabs at answering her security questions for a forgotten email password. Her very public life and her very honest answers to the security questions made it easy to access her email.

What is email security?

After protecting your login and password information, there are two essential parts of email security. First is digital signing. Digital signing requires a special email security certificate that can be purchased from a third party vendor. A digital signature lets the recipient know that the email is from you and has not been altered while in route. Once business partners and customers are used to receiving digitally signed email from you, they are less likely to be misled by someone trying to “spoof” your address to send phishing emails to them.

The second part of email security is the encryption of the email itself. Email encryption is the conversion of content into a code that cannot be understood until it is decrypted. Email encryption technology has been around for a long time. However, it is cumbersome to use and slows the email process. Email encryption keeps sensitive information private so that if the email is intercepted, the interceptor could not read it. This involves encrypting the email when it is sent and decrypting the email by the recipient when it is received. This process suffers somewhat of a network problem. Email encryption involves the use of public and private “keys” which are necessary for secure email communication on the part of senders and recipients. To send an encrypted email to an individual, you must know their public key. They will use their private key to decrypt it. Sending an email to someone who can’t decrypt it poses a barrier to communication much like sending an email in a foreign language for which there is no dictionary. Businesses have to get customers, clients, suppliers, etc. on board with email security to make it work, but there is a learning curve and they may be resistant if no one else, other than you, uses it.

The state of email encryption is still fairly limited. “So far, email encryption is still mainly used by organizations with highly sensitive missions or information, or paranoid security types who know too much. But enterprises, especially those under the heaviest regulatory microscopes like healthcare and financial services, are starting to look more closely at email encryption. The recent epidemic of laptop thefts and customer data leaks has also spurred interest in giving email encryption a second look… many firms merely use secure VPN connections to their business partners when sending sensitive mail.” (Higgins, 2007)

As a side note, when you fill in a form on a web site that asks for sensitive personal information like a social security number, passwords or credit card information, do you know if the information is encrypted and stored securely on the server or delivered to the recipient via form-to-mail? If the information is sent via form-to-mail, it may suffer the same privacy exposure as the postcard example above. This may occur even if the page has a security certificate and uses https protocol.

What can you do to make your business email safer?

I will not pretend that I have expertise in business email security, but here are some things that I have learned that might help with business security.

(1) Find and implement email digital signing encryption software.
“Any e-mail should be encrypted if the contents are sensitive in nature. This can mean that the e-mail contains intellectual property, legal information or personally identifiable information such as health information, social security numbers or trade secrets.” (Robb 2007)

(2) Encourage business contacts to use encryption software as well.

(3) If you use webmail, download and remove any messages from the server. Then if you are hacked, there is nothing left for the perpetrator to see.

(4) Alert all employees to the danger of sending unsecure email. (It has been my experience that many individuals are completely unaware.)

(5) Choose answers to security questions which are not obvious and cannot be figured out by people close to your or easily researched on the web or through public records (e.g., wedding date, birthdate, pet’s name, etc.)

(6) Be certain to understand privacy laws in your particular industry when you use email to transact business.

Bibliography and Additional Reading:

“Palin’s ‘Hacker’ Tells How He Did It, Palin’s ‘Hacker’ Tells How He Did It”, September 18, 2008, http://www.darkreading.com/document.asp?doc_id=164126

“Hacking Email: 99 Tips to Make you More Secure and Productive”, IT Security Staff, http://www.itsecurity.com/features/99-email-security-tips-112006/ Accessed 9/28/08.

“How Secure Is That Web Page In The Window? What You Should Know About Submitting Secure Encrypted Data into a Web Page”, Michael Horowitz, January 2006 http://www.michaelhorowitz.com/securesubmit.html

“Think your e-mail is secure? Think again”, Frederick Avolio, 2/9/2001, http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci521107,00.html

“Email Encryption Gets Easier”, September 13, 2007, Kelly Jackson Higgins
http://www.darkreading.com/document.asp?doc_id=133830&WT.svl=news1_1

“Keep it Classified: E-mail Encryption for Small Business”, Drew Robb, June 5, 2007, http://www.smallbusinesscomputing.com/buyersguide/article.php/3681486

“Why You Should Encrypt Your Email And Some Tips For How To Do It”, Tony Bradley, CISSP-ISSAP, About.com, Accessed 9/28/08, http://netsecurity.about.com/cs/emailsecurity/a/aa051004.htm.

“How Many Email Users Are There?”, Heinz Tschabitscher, About.com, accessed 9/28/2008, http://email.about.com/od/emailtrivia/f/how_many_email.htm

“Email at Work”, Deborah Fallows, 12/08/2002, http://www.pewinternet.org/pdfs/PIP_Work_Email_Report.pdf