It goes without saying that email has changed the way the world communicates. I get more emails by far than I do letters delivered the old-fashioned way. That said, there’s one aspect of email that many of us overlook at our peril, and that’s the information we put in our messages.
Email was not intended as a secure means of communication. Whether you’re a lawyer, an accountant, a chief executive, a chief financial officer or an internal auditor — even if you work at home or are retired — you need to know that what you put in an email could one day become key evidence in litigation.
Remember that the vast majority of emails traverse the globe in an unencrypted format. This is analogous to sending a postcard via regular mail. Think about it: what’s to stop your mail carrier (or anyone else in the postal delivery chain) from reading the messages you write on postcards? Unless you’ve written in some obscure language used by only a handful of people, nothing can stop such peeping. Yet emails (containing information like account numbers, social security numbers and/or other sensitive and personal data) are passed around by millions each day with nary a thought to potential consequences.
Emails are not only vulnerable to snooping and contribute to a general loss of privacy, but have also become an increasingly used tool in litigation. The use of email information as evidence in the Microsoft antitrust trial was just one of the most visible examples.
According to Jack Seward, a digital forensic accounting technologist, some users still believe that digital encryption of email isn’t necessary. They argue that email carries the reasonable expectation of privacy. Although that may have once been true, Seward warns, “known technological vulnerabilities of unencrypted email make this presumption an old wives’ tale at best.”
What about email accidents? It is easy to have email accidents, and accidents are more common in important business and personal communications than most people realise. An email message can easily be sent to anyone in an instant — and there’s no hope of retrieving it once you hit send. It takes just a single errant keystroke or mouse click to send a message to the wrong recipient.
With password protection and encryption, a user can have some measure of security for misdirected messages. However, the best way to prevent accidents is to teach users what to do when things go wrong, as well as how to do it right in the first place. If possible, IT managers should also configure email software so that the default setting produces the safest outcome.
The million-dollar challenge is to decide which type of security strategy and encryption software to use, and to determine whether it is prohibitively expensive. A simple search on the internet shows there are dozens of products available, some at no cost.
When shopping for a product, it’s advisable to match the protection provided for emails, systems and software to the value or sensitivity of the information that will be transmitted. Generally speaking, it’s best to use a centralised control for email services.
Email policies should be defined and should specify the level of protection to be implemented. Of course, if your company is using a secure channel like a VPN, messages will be secure in transit, since VPNs typically employ some combination of digital certificates, strong user authentication and encryption to provide security for the traffic they carry.
These days, many lawyers, accountants, actuaries, financial planners, medical professionals and others freely send critical personal information in an unencrypted format. It is imperative that this practice change, with organisations adopting policies for the safe and secure handling of email. Educating employees about safe email usage and delivery policies helps reduce the risk of intentional or inadvertent misuse, thereby ensuring that confidential records transferred via email are secured properly in transit and upon receipt.
Encrypting email will keep messages safe from all but the most determined hackers. Protecting your intellectual property assets is paramount, and those assets include email. Encryption is a reasonable precaution that we’ll have to take when sending sensitive information anywhere around the globe.