There's a lot of misunderstanding about email security these days.
As you may have heard (because it is practically the news story of the year), the Democratic National Committee email server was hacked months ago and now the messages were shared on Wikileaks. There's nearly 20,000 messages in there, including a few from chairwoman Debbie Wasserman. (She is stepping down after the Democratic convention this week.) It's a surprising development and one that could lead to many other problems for the DNC including lawsuits and resignations.
It ties right into another political quagmire for Hillary Clinton. She's battled questions about her own email server, which was separate from the one required for government officials. She was exonerated for the mishap. Over the weekend, she defended the private server, suggesting to Charlie Rose (among others) that it was secure because she was sending and receiving messages with trusted individuals.
Here's the quote:
"There were three at--probably at least 300 people on those emails, the vast majority of whom are experienced professionals in handling sensitive material. And I have no reason to have second-guessed their decision to send or forward me information."
Sadly, this is an appalling statement to anyone who follows the security industry. She may have been exonerated, but she is not secure. For anyone who runs a business, it's important to know the difference between two different kinds of secure email. I'll provide some guidance below, with help from a few security pros.
What you're likely using today
You're likely already using email security, but not encrypted email. There's a difference. Email can be secure when it resides on a server, it can be secure when it travels between the server and your email app, and you can make your own email app secure by using a login. OK. None of those things actually make the email encrypted, though. Hillary Clinton was totally wrong about how she thought her email was secure. It wasn't. Of the 300 people she trusted, any of them could have forwarded a message by mistake. Any of them could have handed out a login to someone without thinking. The messages themselves were not secure.
Craig Kensek, a security expert with Lastline, told me roughly the same thing. He insisted that encryption is not common at all, and most people don't even know about it. "The vast majority of businesses don't store their emails encrypted, or have them encrypted while in transit," he says.
The truth is, when you send a message using Gmail or your work account, the email itself is basically text and some formatting. It can be easily copied, saved, stored, and reused. There's no password for the message itself. If you send or receive sensitive material, such as bank information, investment plans, or anything you would not want to fall into the hands of hackers, you need to use a more secure approach...
What you should use if you send sensitive material
It's unfortunate the DNC email server was hacked, but it didn't have to turn into such a mess. That's because the committee could have used encrypted email. It's a little more complex and a bit cumbersome, but it's not rocket science. Microsoft Exchange and Outlook support it, as does Google for Work (it's called Google Apps Message Encryption). You can even use a low-cost service like StartMail.
There's a good chance you've used encrypted email before. When your bank sends you a message, it likely arrives with a message instructing you how to open the message on the bank site, not in your email app. When it takes you to the bank site, you have to type in a code or login. Once you login, it never leaves the site.
Encrypted email is much more protected from hacking. With StartMail, for example, you click a simple checkbox when you compose a new message and type in a question and answer. The answer has to contain letter and numbers, and has to meet a standard for a strong password. When recipients receive the message, they click a link to go to StartMail and have to type in the secret answer. There is nothing to forward. The message is not contained in their own email app.
The problem, of course, is that it all takes time. Kensek told me many users don't really want to type in a code. People like to use email like an instant chat. Yet, if you do, your company will be more protected--at least for confidential material. It would have saved a lot of problems for the DNC and Hillary Clinton.