This is the fifth in a ten part series on information technology security from SBAM Approved Partner NuWave Technology Partners.
Read Part 1
Read Part 2
Read Part 3
Read Part 4
E-mail has become so common place that most of us cannot remember or imagine life without it. While it can be a great business and personal tool, it can also be frustrating and even burdensome to try and keep up with it. In this article, we will discuss how email works and the importance of using secure email to send sensitive data.
E-mail is:
A best effort delivery system
The first issue is from a technology perspective. Email has become so reliable that many people do not know that at the core, email technology is built around a BEST EFFORT delivery system. When one sends a time critical email there is no guarantee when or if the email will be delivered. Many email systems will continue to try and deliver the message for hours before notifying you that there is a problem. It could be several days before it finally gives up and notifies you that it has stopped trying. This does not mean the email system has a bug or failed, it is actually working as it was designed.
Inherently insecure
Security is another major concern with email. Historically, all email, was sent in clear text. This means that any number of freely available software programs could be used to capture and read every email you sent. Before you press send, ask yourself, would I write this message on a postcard and mail it? Today, most email servers use Transport Layer Security (TLS) and require an encrypted TLS connection to the receiving email server or it will not send the message. So, email between most servers is now encrypted. The email message however, is still stored on the email server in clear text. There are many questions about how secure TLS really is since most servers do not support the most recent versions of TLS and older versions have security vulnerabilities. HIPAA and other regulatory requirements demand more than what is provided by TLS.
Can be protected
Many companies are now incorporating encryption solutions into their email systems. Encryption products use a secure key to encrypt or scramble the body and attachments of an email message so that it can be confidentially delivered to the recipient. The recipient must then log into a portal and verify their identity to open the content of the email. There are some encryption solutions, such as ZIXCorp, that eliminate the portal if both the sender and the recipient are using the same system. One of the biggest challenges with many of the email encryption solutions is that it is up to the person sending the email to decide if the message will be sent encrypted. Some of the encryption systems however, have the ability to scan the body and attachments of email for key words and based on a predefined policy, automatically encrypt the email. These policies remove the human factor of deciding when or when not to encrypt the email. The policies can be defined to protect social security numbers, financial data, protected health information (PHI) or even scan for vulgarity and forward the email to a supervisor to protect the corporate reputation. There are an ever increasing number of regulations that hold the email sender responsible to protect the information they are transmitting from being seen by anyone other than the intended recipient.
Most businesses, and often the individual employee, are now subject to large fines and potential jail time if they knowingly expose protected information. Remember to think about the message you need to send. Is email the right tool to deliver the message? If it is, and the message is sensitive, make sure that you’re sending it securely.