Email is one of the most dangerous activities any of us does online. The way most companies implement email, it’s trivial for email account access to be compromised and for sensitive information (human resources, budgets, etc.) to get into the wrong hands. SPAM reduces our organizational efficiency and malicious software often enters networks through email. What can be done to lower these risks?

First, find out - by looking at your email settings or talking to your network staff or ISP - if you are using an unencrypted protocol (POP or IMAP) to get your email. If so, then someone – an employee or other fellow network user using a ‘sniffer’ tool - can capture your login information and intercept the emails. If your email provider can’t provide you a secure protocol, you must take other steps to encrypt the emails.  If you are using a public network, you can encrypt all your network traffic – including your emails – by using a Virtual Private Network (VPN). If your company has a firewall that includes VPN capability and you connect to it before checking your email, then the traffic can’t be ‘sniffed’ as easily.

Note that my blog is hosted by Internet Crusade, and their email solutions are fully capable of secure protocols such as SSL encryption for POP mail – according to Mike Barnett you just have to ask for it and they can hook you up!

You can also encrypt your email and attachments in other ways. While this doesn’t stop people from ‘sniffing’ an insecure email protocol, it can stop people from reading email and opening attachments that are sent to them by accident. Encrypting the whole email is not easy for the non-techie, depends on the platform being used for sending and receiving email, and gets most complex when the sender and receiver are on different platforms. Helping the reader navigate this maze is not something that can be done in a short article. In terms of encrypting files and email attachments on Windows computers, I’m fond of free-to-inexpensive products from http://www.kryptel.com/.  

The next tool in your security arsenal is to use company policy to educate employees on safer email behaviors. The policy can include instructions not to use email to distribute offensive materials, not to send or forward SPAM, how to try to recognize phishing, pre-texting, or other social engineering involving email, not to send confidential information via email and when to use encryption, and not to open attachments from un-trusted sources – or even from trusted sources without phone verification. The policy should also set the expectation that email may be monitored for policy compliance, and that there should be no expectation of privacy. The policy may also set email security standards for technical staff to implement, such as whether email servers pass on executable attachments at all.

None of the above steps address SPAM and the tremendous threat of malicious software that can be attached to email. At a time when spammers are becoming ever more sophisticated at evading anti-spam tools and there are free tools are available for hackers to create malicious software that cannot be detected by most anti-virus and anti-malware tools, making the right technology choices is more important than ever. As part of the ongoing support provided after an Information Security Assessment, Clareity Consulting has guided many clients through the maze of technical options that might work best for their individual needs, and strongly encourages its clients to take reasonable steps to secure their email, as it is one of the largest threats to organizational information security.