Should you encrypt your emails and other transmitted data? That’s not an easy decision, but it’s one you should think about. Essentially, you should answer the question, “If my data leaks out around the edges of emails, how bad could things get?”
Most of us produce business data every day and don’t think twice about it. That’s as it should be—business can’t function optimally when the very tools we use obstruct us. The data we create and store may be technically proprietary and confidential, but the reality is that little of it is really sensitive.
Our competitors may be tough, but they’re not usually conducting espionage against us, and probably couldn’t benefit a lot from it, anyway. Clients and customers may pick vendors as much on personal comfort and history as on strict bid price, for example, so the leak of a proposal to a competitor might be more of an emotional than a business issue.
But there are times when data is truly sensitive and should be carefully protected. The health care industry, for example, has to keep patient data confidential, which is a tall order considering how many offices and computer systems that data sees. Salary data might be an exceedingly delicate issue in some places. And government agencies and clients frequently impose tough security measures.
Security experts know that it’s difficult to have data nearby, ready to use, yet unavailable to those who would misuse it. I’ve often counseled clients that to achieve maximum security, they could put everything into a big metal box, weld it shut, and drop it into the Marianas Trench.
That keeps it safe, but somewhat limits its utility. Every security measure besides that one represents some level of compromise and can be breached, a fact of life that keeps a lot of techies up at night, especially about email.
Why email? Because that’s the form in which most information leaves the security of your office. Security to prevent attacks from outside is pretty straightforward, and good IT managers will have implemented it long ago. Basically, you need to keep the hackers out and watch employees for theft. On-site security is mostly concerned about bad guys breaking in.
The bigger actual threat is the mundane leakage associated with employee mistakes or system mishaps. For many security specialists, email is the biggest risk on the block, not systems penetration. Emails can be sent to the wrong address, forwarded with overlooked information still in it, and compromised by being “sniffed” before getting to the recipient.
Email protocols are designed for simplicity and accuracy, not security. In fact, email packets fly through cyberspace just like Web packets do, and not infrequently packets are “dropped.” When that happens, both ends of the software conversation collaborate to figure out which piece of the message is gone, and get it re-sent, all without any manual intervention. But if those dropped packets had your Social Security number or credit card information, it’s worrisome when they can’t be accounted for.
The obvious answer is to encrypt the “signal” so that even if it’s intercepted, it can’t be read. And, of course, you have to work with the intended recipient so it can be decoded at their end.
Perhaps the most popular method in the world right now is called “Pretty Good Privacy” or PGP. It won’t keep your email safe from the National Security Agency, but it will thwart almost any crook. PGP is in most email packages today, like Microsoft Outlook and the open-source Thunderbird, both of which will send protected email and let you open encrypted messages intended for you.
Encryption carries some costs, of course. It’s clumsy for new users, and there’s sometimes a stigma attached to encryption—what are you trying to hide, anyway?
Despite its James Bond allure, it’s not perfectly impenetrable. If somebody is looking over the recipient’s shoulder and reading something he shouldn’t, encryption won’t make any difference. And if you encrypt during transmission but don’t encrypt messages you’ve already stored, you could be wasting your time. Sending encrypted messages with unencrypted attachments is another point of leakage.
There are still more steps you can take to secure communications. Some newer services like Google’s Gmail offer “SSL” security, which gives you the “https” prefix to a Web address instead of the more familiar “http.” If you can use SSL, by all means take advantage. Combining PGP and SSL gives a very high level of assurance that your emails aren’t getting away from you.
If your business merits even higher security, consult an expert to learn more about the software and business processes you’ll need.•
Altom is an independent local technology consultant. His column appears every other week. He can be reached at firstname.lastname@example.org.