E-mail just might be the most critical business application your company uses. Increasingly, businesses rely on e-mail even when it comes to sending sensitive information such as proprietary materials, private employee or customer account numbers, and confidential negotiations.
You depend on e-mail as a necessary form of communication. But is your e-mail really secure? 'The important thing is for people to realize when they send an e-mail over the Internet, it's the same thing as sending a postcard,'' warns Bradley Anstis, director of technology strategy for Marshal8e6, an e-mail and Web security firm.
However, it is possible to shore up the security of your business e-mail communications. Here's how to protect your business' e-mail privacy:
- Encrypt e-mail and server connections. If you simply send e-mail without ensuring it's encrypted, it can be intercepted and read by hackers. It's important to employ e-mail encryption software and to also make sure the connection between servers is encrypted as well, using Transport Layer Security (TLS), says Antsis. If you're encrypting business communications, then it's up to you to make sure your clients are provided with the software needed to de-crypt it. 'Some of the secure e-mail services will have a website where the person who's receiving it can go to the website to unlock the e-mail,'' says Matt Sarrel, an information security expert and executive director of the Sarrel Group, an information technology consulting firm. If expense is an issue, freeware such as TrueCrypt is an option.
- Verify. There are two things you need to be able to count on when it comes to business e-mail, says Sarrel. It's critical to know that the person who sent the e-mail is indeed the person to whom the e-mail is attributed, and it's vital to know the data in the e-mail hasn't been altered along the way. Look for software, such as the tools available from PGP, that let you digitally sign an encrypted document.
- Be wary of Web-based e-mail. The experts advise caution when using Web-based e-mail accounts. 'Web-based e-mail accounts are regularly targeted for attacks,'' Anstis says. He should know. His personal Yahoo account was hacked and all of his contacts received spam, supposedly sent by Anstis. It was an embarrassing debacle for an e-mail security professional. If you are using a Web-based browser, you need to ensure the connection is encrypted with Secure Sockets Layer (SSL) protection. Check for https in the Web address. Providers such as Hushmail and NeoMailbox promise secure e-mail.
- Educate employees. The best security technology in the world can't mitigate one of the primary sources of risk for your business: human curiosity. It's not just a matter of securing outgoing e-mail; your company's data can be at risk with incoming mail as well. Not only is there a rise in malicious spam, there's an evolution in delivery methods, says Anstis. Ever creative, the bad guys now use botnets, hijacking unsuspecting victims' computers to unleash barrages of what is known as blended attack spam. 'Forty-two percent of all spam is what we call a blended attack -- an e-mail with a URL in it,'' Anstis says. The malware that will compromise your network is not in the e-mail, so the e-mail slips past security gateways. The malware is delivered when the curious recipient clicks on the URL in the e-mail to visit a website. 'Educate your employees about not following unsolicited invitations to click,'' advises Anstis. 'We're pretty good, but some of these attacks are going to get through.' It's smart to show users examples of what a blended attack looks like. That's why Anstis' company, Marshal8e6, offers a sampling of different attack methods on its website.
- Update software. Too often, says Sarrel, 'a lot of businesses just set up e-mail and leave it. Stay on top of e-mail server software.' Understanding vulnerabilities and religiously installing updates and patches is critical. Make sure you're receiving updates from the vendor when it comes to anti-spam protection software, says Anstis.
- Scan e-mail for content. Anstis advises using a software product that will filter for content such as inappropriate language and images, both incoming to provide a professional work environment and outgoing to protect your company's reputation. Content can also be scanned for information you don't want sent externally, such as social security numbers and credit card account data.
- Vet your vendor. Chances are you'll turn to a third party for e-mail security. Anstis, whose company competes in this market, offers this blunt assessment: 'Don't trust vendor promises. Try all products. Get references from people you know and trust.'
For most small businesses, simply taking the time to question and to evaluate e-mail security is a big leap in the right direction, says Sarrel. 'A lot of these systems get rolled out without thinking about security, and people just keep using them. A lot of people don't seem to understand that email is almost by nature not secure.'