E-Mail Privacy Myths and What They Mean for Security
Since being introduced to the concept of e-mail back in 1992, I've thought it was the coolest thing since the invention of the postal system (yes, I admit it; I'm a mail junkie). But the reality is that the envelopes I receive from my mailman are a lot more secure than anything I get in my e-mail box. For example, if you are a fan of Gmail, my colleague Don Tennant pointed out that Google knows what's in those messages and posts ads based on keywords you've written.
The lack of privacy in e-mail can also mean a lack of security. In a Web conference held today, Brian Tokuyoshi, product marketing manager for PGP, tackled the topic of e-mail security. There are a number of opportunities for e-mail to be breached, stolen or seen: by system administrators (who may be allowed to have access to the e-mail server but not to sensitive material that is being transferred), malware infestations that intercept e-mail as it is sent through the network, unsecure Wi-Fi connections, and backups and duplicates of e-mail content. Cloud computing has added another level of complication to e-mail security. Tokuyoshi said:
E-mail, being so simple, is probably being used as the lowest common denominator on how information is being transmitted between one location to another. Even if you provide employees with the ability to security transmit data, they'll still use e-mail as the easiest way of doing it. So we need to think about how we're protecting the e-mail stream.
Encryption is one of the best methods to secure e-mail, but Tokuyoshi added that it is vital to make sure your encryption software works, not only in your own company, but with third parties.
Any type of e-mail encryption system that forces your partner [in e-mail communication] to use the same encryption service you use is not a solution that will go over well.
Another option for improved security is e-mail hosting, which allows companies more control over all aspects of sending e-mail. As Joseph Volcy wrote at Hostreview.com:
Larger enterprises generally have the financial ability to set up and run comprehensive in-house email security activities together with appropriate security policies. Small and medium companies however, frequently lack the resources to set up an efficient in-house email server and its associated security solution. It is common that their only solution is implementing a single-point solution such as a stand-alone firewall, installing anti-spam software or an intrusion detection systems (IDS) on their local area network. While these solutions do provide a certain amount of security, they are simply not strong enough compared to the protection provided by qualified email-hosting providers, who have the capacity to protect against blended email threats by utilising best-of-breed technologies.