For all of the press out there about hacking and suspicious websites, one important facet of internet security that gets overlooked is email. Most of us know not to click on links in a spam message, and many of us realize that some email attachments harbor unsavory bits of code. Malicious code and viruses get transferred easily with email, often without the knowledge of either the sender or the recipient, via email attachments.
Viruses and malicious code aside, there is another issue of email security that you may be overlooking: the sending of sensitive information via email.
Common sense would dictate that any sensitive information – bank account numbers, credit card information, passwords, social security numbers – is best delivered through a secure channel. If you’re using email to send this type of information, you run the risk of exposing it to virtually anyone.
Well, for starters, email is not secure. Let me repeat that, with emphasis: EMAIL IS NOT SECURE. Think of email as a postcard. Anything written on the back of a postcard can be read by anyone. Would you write your credit card number on a postcard and send it off through the mail? I didn’t think so.
There are many reasons email isn’t secure. Most people assume that since they work on a secure network, with a firewall in place, and antivirus software running, that everything they do online is protected. But a secure network doesn’t equal protection for your email. First of all, email, once created and sent, is hard to destroy. Most electronic documents are backed up and recoverable. They live forever in backup. If someone were to access backed up information with the intention of scouring it for sensitive information, backed up email would be a great place to start.
Secondly, the recipient of your email could store your email indefinitely on their computer. Anyone with a motive to access someone else’s computer could access their email and your information.
But wait, there’s more. Your email, once sent, could be intercepted and redirected. And even if it arrives at its intended destination, there is no rule to say your email couldn’t be forwarded without your permission.
The Limitations of Encryption
“Aha,” you may be thinking, “I have encryption on my email.”
Even if you’re one of the lucky ones whose email program encrypts everything sent out, don’t assume that you’re safe. Encrypted emails, once they arrive at their destination and are unencrypted in order to be read, can be forwarded without re-encrypting them. Sort of defeats the purpose of encryption, doesn’t it?
While this is not to say that the recipients of your (encrypted) messages are anything other than trustworthy, you just can’t be sure how secure their email environment is. A number of things are out of your control once you press “send” and one of those is what happens to your information once it’s been received. If your recipient leaves their computer to take a lunch break and doesn’t log off, anyone could scan their emails in the interim.
Another concern with encrypted email is this: if your email is received and unencrypted on an open Wi-Fi connection (such as at a coffee shop, airport, hotel, or public library), then the information is out there for anyone and everyone who might be interested.
Bottom line: encryption only works up to a certain point.
How do I send sensitive information online, then?
Put simply: don’t use email.
However, if you absolutely must do so, you need to take some additional steps in order to provide a little more security for your information.
- Put your information into a document or spreadsheet
- Encrypt the document so that it can’t be viewed without a password
- Email the encrypted document as an attachment
- Communicate the password to the recipient by means other than email (text, phone, carrier pigeon, etc.)
The recipient will not be able to view the encrypted document without the password, and neither will anyone else who might have access to the email and attachment. However – and I can’t stress this enough – your password needs to be as un-guessable as possible. That means no real words that could be found in a dictionary, no personal information (such as your pet’s name), and no recycled passwords.
Realize that even with these precautions, it might still be possible for someone to view your sensitive information. Know the risks, and be prepared to take responsibility.
Most of us live under the assumption that those we have contact with and conduct business with are good and honest. And for the most part, this is true. However, there are those individuals out there, unknown to you or me, who are actively seeking information from any and all sources for less than honest reasons. Don’t play into their hands. Don’t use email to send sensitive information.