How to Protect Your Organization’s Sensitive Email Data
If your organization’s email data gets hacked, you could fall prey to ransomware and phishing
Email has never been a secure way of exchanging information. Google even includes results on how to hack emails, including one article titled, “How to extract emails from an SMTP server”. The information on how to glean email data is readily available. Yet, thousands of organizations conduct the majority of their communications through email. By doing so, they make themselves vulnerable to hackers. Really, it’s just a matter of whether a hacker decides to target your organization.
In 2014, hackers targeted over 500 million Yahoo email accounts. They stole names, email addresses, passwords, phone numbers, and answers to security questions from the Yahoo server. This is part of what happened to Yahoo and led to the downfall of former Yahoo CEO Marissa Mayer, whose big product focus was Yahoo Mail. Mayer and Yahoo failed to account for the fact that email isn’t secure by nature.
According to Digital Trends, email “was developed when the Internet was a much smaller place to standardize simple store-and-forward messaging between people using different kinds of computers. Email was all transferred completely in the open – everything was readable by anyone who could watch network traffic or access accounts (originally not even passwords were encrypted). Amazingly, email sent using those wide-open methods still (mostly) works.”
This is scary when you think about who uses email and what they use it for. When it comes to patient data in the healthcare industry, data volume reached 150 exabytes by 2011. Patient data is some of the most sensitive data out there. Healthcare professionals can collect it in electronic health records (EHR), but some still use Excel spreadsheets to collaborate when they’re sharing data, because it’s easier to use spreadsheets than EHR. When they email the spreadsheets without encrypting the emails, the data are vulnerable. (Author disclosure: As a former social worker, the organization I worked for simply used Microsoft Outlook to email sensitive information about mentally ill patients; none of the emails were encrypted.)
What kind of data do you make available through emails? If your organization’s email data gets hacked, you could fall prey to ransomware and phishing schemes. Furthermore, if there’s important info in emails, such as passwords and financial data, that info could easily fall into the hands of hackers out to commit identity theft.
How to Protect Email Data
Chances are you use one of the big email clients, such as Gmail, Outlook, or Yahoo. They’re big for a reason—ease-of-use—but they don’t use irreversible encryption. So, if someone hacks into the Gmail server, they can find keys to decrypt your emails.
One option is end-to-end encryption. This kind of encryption scrambles your emails and provides keys to access them. Only you and the recipient know the password to access the keys. You both need to be using the same encryption service to make it truly end-to-end, however. Three years ago, Google said it was going to offer an end-to-end encryption extension called E2EMail, but it still hasn’t materialized. Since you can’t get end-to-end through Google, your organization will need to switch to another app, such as ProtonMail or Tutanota.
There are also software options. Simply conduct a search for “end-to-end encryption software” and take a look at what’s available. WhatsApp is a popular encrypted messaging solution, but it’s owned by Facebook, thus not hidden from Facebook’s prying eyes. Whistleblower Edward Snowden prefers Signal, a messaging app you can also use for SMS and phone calls. Telegram is also solution, but like all of these, everyone you message has to sign on to using the service. And that’s the crux of the situation: There are plenty of great encryption services, but everyone you message has to be in on the service in order to achieve end-to-end encryption.
An answer to the exclusivity of end-to-end is to use two-factor authentication (multi-factor authentication, or 2FA) instead. A 2FA service allows you to send emails with your existing email client, encrypts them, and then asks the recipient to provide a code only they know in order to access the email. Recipients receive the access code via email, text, or automated phone call. The one problem is the authentication tokens—the second factor that grants access—can themselves be hacked. Hackers use phishing, malware, and fake account recovery to hack 2FA, but it’s definitely still more secure than a naked email.
Another solution available to you is PGP (pretty good privacy). A PGP service such as Mailvelope generates both a public and private key. To encrypt the message, you enter the public key, and the recipient can only open it with a private key. You can either generate a new set of keys or import an existing set. Mailvelope is available as an app for Google Chrome or Firefox.
Maybe your organization is big enough to have its own server on which you’ve developed a customized email application. In that case, it’s important to protect the Simple Mail Transfer Protocol (SMTP). SMTP is what makes emails possible at the basic level, but it’s also incredibly vulnerable to hacks.
With effort, you can make sure your organization’s emails are safe from hacks. Just remember, if you’re sending valuable information with a popular email client, without taking any security measures, you’re taking a huge risk. No one will blame you for wanting to mitigate that risk.