My business requires the emailing of some sensitive information on a regular basis. I have spoken with my boss and co-workers about all of us using an encrypted email system but no one seems to think there is a significant threat or danger out there to require these extra steps in security. Can you offer any data to help me to convince them that this is a good idea?
Actually I don't have hard data to say one way or the other. The risk varies too much on too many factors to really present data that'll apply in a specific situation.
But we can definitely look at some of the specific factors.
•
To be blunt, most people have an over-inflated sense of risk when it comes to external threats that they don't understand. (The one exception being WiFi hotspots; more on that below.) For example many people will still not make purchases on-line because they're afraid of the possibility that their information could be "sniffed" or stolen by a hacker. However these same people are more than happy to hand their credit cards to a complete stranger in a restaurant, and give them a signature to boot! The fact is more credit cards are stolen not by hackers sniffing internet transactions, but by hackers and physical theft at banks and merchants - which then involve both internet as well as in-person transactions. The shop keeper, or an untrustworthy employee, is much more likely to walk off with the information, than some hacker.
And even then, all the press about identify theft aside, with some simple precautions and common sense it just doesn't happen that often. For every case of theft you hear about, there are hundreds of thousands, if not millions, of transactions that happened successfully, securely and without incident.
The same is true of email.
Yes, it's possible to sniff and intercept email conversations. It's not particularly easy (unless you're on an open WiFi connection), and in most cases it's not particularly interesting ... 99% of all email is, in all likelihood, incredibly boring unless you're the intended sender or the recipient.
Email privacy does start to make sense if you have legitimate reason to be concerned that your email might be intercepted (not just uninformed paranoia), and/or if the cost of such an interception is unacceptably high.
So the first question you need to ask yourself is "am I really a target"? Most people are not. Most business are not. Many might think they are, but in reality, no one cares. On the other hand, if you're communicating on sensitive things that you know are the focus of possible industrial, political or personal espionage then yes, you might have a legitimate concern.
The next question is "what's the downside of someone else seeing this?" Again, in most cases the cost is negligible ... a little embarrassment at most. If, on the other hand, that communication landing in the wrong hands could cause serious damage, then it's also time to consider approaches.
If all this sounds like I'm skeptical ... it's because I am. In my opinion, most people who think they are targets are, in fact, not.
But what if you really are? If electronic communication is a necessity, then encryption, good encryption, is a must.
The "problem" here is that encryption schemes for email are, generally, not as interoperable as we'd like. If you can standardize on a solution what works for all your senders and recipients, say everyone within your business, then your problem is mostly solved - though typically those solutions involve third party software, and periodic fees.
If you're doing it on your own, and your correspondents may be running a different email client, perhaps even on a different operating system, things get more difficult. Personally, I've not found a good solution that integrates well with various email clients. My approach instead is to send encrypted attachments. By that I mean:
It is somewhat cumbersome, but if you can agree on an encryption tool, it works in almost all environments, and with any email client that can send an attachment.
Specific encryption tools are beyond the scope of this article, but in my case it boils down to either a passworded approach using a tool like TrueCrypt, or a public/private key approach using GPG, both of which are free. But there are many solutions out there.
So in a nutshell, most people aren't at the risk that they think they are, and for those that are, things can be a little more complex than we'd like.
It's one more reason that truly secure information is often best handled in phone calls or in person meetings, rather than email.
Important: the one place where exactly the opposite is true - people are at much more risk than they realize - is in WiFi hotspots. It's fairly easy for anyone there to "listen in" on the data flowing to and from your machine. There, you need to be encrypted one way or another. See How do I stay safe in an internet cafe? for the steps you need to take if you use a public WiFi hotspot.
Related:
Ask Leo! - Can hackers see data going to and from my computer?
Ask Leo! - How do I stay safe in an internet cafe?
Ask Leo! - How can I keep my email safe from sniffing?
Article C2458 - November 13, 2005
I disagree with the tone of this response. Comparing email to online purchases is misleading. Almost all reputable online retailers will use encrypted HTTP to perform transactions over the web (usually your browser will notify you of this by displaying a padlock or similar icon when browsing a secure page). On the other hand email by default, is transmitted as plain text. Like most data on the internet it also passes through many networks and servers on the way from source to destination. It would be trivial for any one of these intermederies to automatically take a copy of all emails that contained credit card numbers. The fact that 99% of emails are boring is meaningless to a program searching for key words. As such I would advise your readers to always think before sending sensitive or financial information via email and follow your practice of encrypted attachments when required.
Posted by: Finn61 at August 7, 2007 11:00 PMThere are email services available that use encrypted links by default. A list of providers and further discussion can be found at novo-ordo.com. While it is true, few people are targeted, I suspect the environment is becoming more hostile for the average Joe.
Posted by: Rick at February 21, 2008 12:19 PMDoes exchange server encrypt emails at the form the LAN to the WAN?
Thanks
Posted by: Roberto at May 12, 2008 2:53 PM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't think so.
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIKfNgCMEe9B/8oqERAtvJAJ9tMOQ/ZR5c94ps/s3MleIpj8RO9gCfbpST
Posted by: Leo at May 13, 2008 1:00 PMzspatixw/uu+i/BPrC5CarM=
=XJ/5
-----END PGP SIGNATURE-----
With all the hype now a days with hackers and systems being sabotaged and or comprimised i too was concerned with my companies safety and security when it comes to email information going over the airwaves. I did a lot of research into getting our own system and i found out pretty quickly that it can get very expensive and up into the 40-50k range to secure your emails with different sofisticated systems out there.Well i did my job and did more research i found a company that specializes in this market and saved thousands of dollars. the company is called www.global-datasolutions.com and we now have a pretty sofisticated system in place through them, using desktop PGP and we are also using the blackberry devices through them as well equipped with PGP.Its a pay as you go service and it includes unlimited world wide roaming/24-7 tech support/the blackberry device of your choice and best of all they customized the plans according to our own specific needs.
Posted by: monty at August 25, 2008 2:45 PMif you need security go and check them out you will save tons of money.
Yes, solutions can be expensive, but what is the cost when one of your associates in human resources sends your 15,000 employees' SSN's to the wrong address and it gets picked up by the media? Hosted off-site solution work, but add more critical components that must be safeguarded. If the hosting company has a leak, your customers still ascribe the blame to you.
Consider options surround the choice to encrypt and whether to use a hosted solution very cautiously.
Frank
Posted by: Frank Hughes at September 17, 2008 11:10 AMStrategic Data Management
Are there any firm, researched statistics about this? To be meaningful, if would have to include incidents of hacking (say) per million, sub-divided by method of hacking.
Posted by: Tim at September 29, 2008 9:13 AMCommunicating through email is almost never safe. Unless you are using encryption (most do not) your data may be intercepted. Probalby not by some big time hacker, but more likely a wanna be hacker, 13 year old so called "script kid" who runs scripts that were prewritten to do such things. If you don't want to go through the hassel of encrypting your email you can use a service which handles the messaging aspect for you such as www. PrivateInformationExchange.com.
Posted by: Bryan at May 7, 2009 9:08 AM