The Do’s and Dont’s of Sending Sensitive Information

Mortgage lenders, medical assistants, engineers, legal secretaries, benefits administrators, and HR generalists. What do these professions have in common? They all regularly handle sensitive information — and all require some form of email security

Whether it’s Personally Identifiable Information (PII) like a client or patient’s Social Security number, intellectual property like drawings of a proprietary product, or your company’s bank account details, failing to secure data transfer can have devastating consequences.

Email is like the Pony Express of today’s business world. It’s fast, convenient, and readily available. Create a new message, add the recipient’s address, attach that document or paste in that SSN, type a quick note, and click send, right?

The Truth About Email: Recent Security Statistics

It might surprise you to learn that email isn’t as secure as you might think. Just take a look at these stats from 2023:

• The average time for users to click on a malicious email link is under 60 seconds.
• Almost one-third of all incidents involved phishing.
• The average cost of a business email compromise (BEC) is $50,000.

Don’t Trust Inherent Email Security

You may log in to your email account with a password, but that does not cover proper email security. When an email is sent, it travels across a series of networks and servers to reach the recipient, often in human-readable text. During that time, hackers can intercept the data without detection. Ask yourself: would I send this sensitive information via U.S. Mail in a see-through envelope?

Besides the transmission, a copy of email messages is typically stored on your computer, your server, your server’s backup server (physical or in the cloud), the recipient’s computer, their server, their server’s backup… you get the idea. And unfortunately, one positive trait hackers boast is their patience. They enter networks through a hidden vulnerability and remain in the shadows for weeks, months, or years.

Even if you believe your network is sufficiently protected, you cannot control the quality and effectiveness of the recipient’s security measures. You’re only as strong as your weakest link.

Do Secure Your Email With Encryption Technology

Encryption is the process of converting a message into random characters that can only be decrypted and understood by an authorized party. Of course, this is nothing new — from ancient Rome to the armed forces in World War II, coded messages have been used as a secret form of communication throughout history.

When encryption is enabled for email, the sender’s message is diverted to a secured portal. The intended recipient is emailed a link to the portal where they create a login (username and password) from which they can then retrieve the message.

This does leave an obvious gap; if somebody else obtains the message about the secure portal before the recipient, they can quickly create the login and retrieve the message. However, this is still a big improvement over regular email security.

Don’t Rely On Basic Encryption

“Password protecting” a document à la Office 2003 doesn’t cut it anymore — nor does basic encryption. If they could figure it out in the 1940s, it wouldn’t take a sophisticated criminal to do it today. (Side note: if you haven’t seen the movie “The Imitation Game” about how the Brits broke the Nazi codes using Alan Turing’s machine, you’re missing out!)

Many email platforms, including Microsoft’s Office 365 or Google’s G Suite, offer an encryption option, usually at an added cost. The complex and ever-changing nature of internet security means it’s important to consult your IT people to verify the quality of a solution and its configuration.

Do Use File Transfer Tools Instead Of Email

The securest way to electronically transfer sensitive information is through a file-sharing program. Applications like ShareFile by Citrix offer a few different options for the private sharing of documents or data. This includes the Outlook add-on software that encrypts email messages with the click of a button. Here are a few other options:

Dropbox

Dropbox is a commonly used file-sharing tool, especially among small businesses. You can set up a Dropbox account, upload files to it, and then tell Dropbox you authorize sharing files or folders with specific people.

Dropbox will notify those people via email, have them create their own account (if they don’t have one already), and allow them to view and download those files.

Dropbox, and tools like it, use Secure Sockets Layer (SSL) technology and Transport Layer Security (TLS) to create a secure “tunnel.” Consider this beefed-up encryption. SSL and TLS are considered best practices for most businesses.

Web Portals

Web portals are growing in popularity, and are especially useful in healthcare, financial services, and other industries with strict requirements like HIPAA.  An individual is given a username and password to access an organization’s portal. People can send messages and upload documents within the portal while logged in via a secure (https) connection.

Many businesses already have this capability with systems they already own, yet we find staff are still emailing sensitive stuff. As with so many things, it comes down to education and compliance. We’ve seen companies start including security practices as part of staff coaching, rewards, and performance evaluations.

Fax

If you can’t put one of the above options or proper email security in place, fax it. Faxing essentially encodes a picture of a document and transmits it on plain old telephone lines. For this and other reasons, it’s not as susceptible to snooping. It’s also not a focus for cybercriminals.

It has obvious downfalls that we don’t need to detail here (there’s a reason we all abandoned it), but it’s better than putting that “open envelope” out there.

Pro Business Security Tips to Step Up Your Game

Sometimes, it’s not enough to adopt just one method of security. Businesses need to implement multiple layers of protection to ensure the safety of sensitive information. Here are some extra precautions you can take to up your security game:

• Get Serious About Internet Security: For a solid start, you must first understand the problem. Keep reading and learning about the big challenges in cybersecurity. Make sure you can evaluate your internet security products and understand the vulnerabilities in each.
• Train Your Employees: The best technology in the world won’t help if your employees don’t understand the risks and how to avoid them. Ensure they receive regular training on internet security and handling sensitive information.
• Develop a Security Policy and Enforce It: Your policy should be specific, outline expectations for behavior, reference state and federal regulations, include disciplinary action measures, and be upheld.
• Limit Access: Review email server logs for signs of unauthorized access. Establish protocols to revoke access if an employee leaves or is terminated.
• Install Antivirus Software: It’s not a fail-safe, but it’s always a good idea.
• Check Email Security Protocols: It’s important to regularly check your security protocols and make sure they’re up to date. This includes encryption, spam filters, and firewalls.

Upgrade Your Email Security With Safety Net

As technology advances, so do the methods of cybercriminals. At Safety Net, we offer secure, advanced IT services to help businesses secure their data transfer and protect against cyber attacks. From email encryption to network security, our team of experts will handle it all! Protect your business properly by reaching out to our team today.