Sunbelt Blog

How Secure are Your Emails

When we send an email, whether it's to a friend, colleague, or client, we expect that the email will arrive, uncompromised, to the intended recipient. We also expect that the email will not be redistributed to others without our consent. However, once we hit the send button, the message is largely out of our control. Will it arrive as intended? Will hackers intercept the message? Will the recipient keep the message to himself? How secure are your emails? How can you be sure that your message won't be altered and recirculated? How can you maintain data integrity and confidentiality?

It's becoming increasingly common for individuals to append a confidentiality clause or disclaimer to messages. An example of such a clause is:
"Any information contained in or attached to this e-mail is intended solely for the use of the intended recipient(s) and may contain information that is confidential or legally privileged. If you are not an intended recipient of this e-mail, please notify the sender of the delivery error and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this e-mail is expressly prohibited."

While it's smart to include such a disclaimer, it's even smarter to use digital signatures and digital encryption tools to protect your confidential e-mail messages. In fact, depending on the nature of the email message or regulations governing your firm, your messages may need to be encrypted in order to comply with regulations such as HIPAA, SOX, or GLBA.

Various technologies are used to encrypt email messages and digitally sign messages. Regardless of which technology your firm uses, the idea is that an encrypted message can only be viewed by those holding the "keys" to unlock it. An encrypted message is scrambled before being transmitted. Your recipient must have the "key" in order to unscramble the message. This is usually done through the use of digital IDs which verify an individual's identity through a third party vendor. Once each individual has obtained a digital ID, they send each other digitally signed messages which add the individual's digital ID to the contact's information in the email program. These digital IDs are also known as "public keys" and can be shared with the general public.

Sharing each other's "pubic keys" may not sound terribly secure. However, the public key is only half of the equation. When you want to send an encrypted email to a person with a digital ID or public key, you would use the provided digital ID or public key to encrypt it. The individual holds a second key, which is never shared, that deciphers the message. In general, the keys are set up on the individual's computer in their email programs and a pass phrase used to open the message.

Once the digital identities have been established, it becomes possible to send encrypted messages to one another. This ensures that your message is only viewable by the intended recipient. If a system administrator stumbles onto the e-mail in the system, the administrator cannot view it. If a hacker intercepts the message, he cannot open it. If a co-worker sneaks into your office, she cannot open the message unless she knows your secret pass phrase.

Adding a digital signature to your emails is also an excellent way to establish that the email is really from you and not from an imposter. For example, if you're concerned that someone might set up an email account in your name and then pose as you, start digitally signing your messages to establish which emails are definitely originating from you and which ones are questionable. Likewise, receiving digitally signed e-mail messages from your colleagues and clients ensures that what you are receiving originated with those individuals.

Encrypting and digitally signing messages is a bit clumsy to set up at first but well worth doing to ensure data integrity and confidentiality.