Email Is More Risky Today Than Ever Before

We often forget in the course of our busy work lives that there are risks in how we communicate with one another. The old days of sending a paper letter addressed to a specific person did not put that information at the kind of risk that sending email does today. Email has replaced the paper and pen, and in many cases, we use it for quick conversation. What we really need to keep in mind is that email should generally never be considered a secure form of communication.

It’s not uncommon for support personnel to receive an email asking for help. Unfortunately, sometimes these messages contain the login credentials, including the password in plain text. Yes, that information may be needed sometimes, but sending it in an unsecured email message is not the way to do it. Instead, any time support personnel are assisting, they may indeed need your login, but they should not ask for your password and you should not give it to them on the phone; but especially never in email. It’s not difficult for someone to intercept email messages. In fact, there are now examples of hackers following email threads between colleagues and using the information found in those emails to phish for more information or to get malware into the organization’s network. Consider anything sent in email up for public use.

If you receive an email from a client, vendor or anyone for that matter, that contains personal or confidential information of any kind, it should never be forwarded or replied to unless you are 100% certain that all confidential information has been completely removed from the email. In most cases, it is better to completely start a new email and simply paste in the information that they want to be included, but excluding the confidential information. Any time confidential information is received in email, management should be notified and company policy addressing this should be followed. In most cases the email should be deleted immediately as well as removed from deleted emails. But again, check with management first. Also, once you have spoken to management, you should notify the sender and advise him or her not to send confidential information to you in that manner.

In some cases, people will also send attachments with personal information and then password protect them. While this is not recommended, it may be acceptable in some circumstances. However, don’t ever include the password in the same email or even send a follow up email with a password. That is just as bad as sending plain text since the point of the risk is that a criminal may compromise your email. And if one does, you want to make sure the information in that email can’t be used by anyone for malicious acts.

Instead, recommend to the colleagues that if her or she needs to send confidential information, it should be by using a secured mail solution or by sending documents that have been password protected. Then call the recipient and provide the password or text the password to the recipient’s phone with instructions on deleting it as soon as the document is opened. But ask your manager for the proper procedure.

If you are using a secure email solution, make sure that you see the secure web page indicators. This is looking for the https:// at the beginning of the address; checking for the lock icon indicator; and/or making sure the address is green and definitely not red. A red URL or highlight preceding the address often indicates that whatever page you’re on is not secure.

Whatever the case, just remember that email should never be considered a safe way to send sensitive or confidential information. There are just too many examples of how the information being exchanged has been used in a malicious manner against a person or organization. Instead, pick up the phone and discuss the issues or ask your manager the best way to handle the exchange of that information.