The 1 “Don’t” and 3 “Do’s” When Sending Sensitive Information
Mortgage lenders, medical assistants, engineers, legal secretaries, benefits administrators, and HR generalists. What do these professions have in common? They all regularly handle sensitive information.
Whether it’s Personally Identifiable Information (PII) like a client’s Social Security number, intellectual property like drawings of a proprietary product, or your company’s bank account details, failing to secure the transfer of data can have devastating consequences.
Email is like the pony express of today’s business world. It’s fast, convenient, and readily available. Create a new message, add the recipient’s address, attach that document or paste in that SSN, type a quick note, and click send, right?
Beware, Email is Inherently Insecure
You may log in to your email account with a password, but that does not make the transmission of email secure. When an email is sent, it travels across a series of networks and servers to reach the recipient, often in human-readable text. During that time, it’s possible for hackers to intercept it without detection. Ask yourself: would I send this sensitive information via U.S. Mail visible in a see-through envelope?
Besides the transmission part, a copy of email messages is typically stored on your computer, your server, likely your server’s backup server (physical or in the cloud), the recipient’s computer, their server, their server’s backup, you get the idea. Hackers can be patient. They’ve been known to enter a network through a vulnerability and remain in the shadows for weeks, months, or years. Even if you believe your network is sufficiently protected, you cannot control the quality and effectiveness of the recipient’s security measures.
Email Can Be Secured Using Encryption Technology
Encryption is the process of converting a message into random characters that can only be decrypted and understood by an authorized party. Of course, this is nothing new. From ancient Rome to the armed forces in World War II, coded messages have been used as a secret form of communication throughout history.
When encryption is enabled for email, the sender’s message is diverted to a secured portal, like Barracuda Networks. The intended recipient is emailed a link to the portal where they can create a login (username and password) from which they can then retrieve the message. This does leave an obvious gap; if somebody else obtains the message about the secure portal before the recipient, they can quickly create the logon and retrieve the message. However, this is still a big improvement over regular email.
“Password protecting” a document, à la Office 2003, doesn’t cut it anymore, nor does very basic encryption. If they could figure it out in the 1940s, it doesn’t take a very sophisticated criminal to do it with today’s technology. (Side note: if you haven’t seen the movie “The Imitation Game” about how the Brits broke the Nazi codes using Alan Turing’s machine, you’re missing out!)
Many email platforms, including Microsoft’s Office 365 or Google’s G Suite, offer an encryption option, usually at an added cost. The complex and ever-changing nature of internet security means it is important to consult your IT people to verify the quality of a solution and its configuration.
Using File Transfer Tools, Rather Than Email
The more secure way to electronically transfer sensitive information is through a file-sharing program. Applications like ShareFile by Citrix offer a few different options for the private sharing of documents or data. They include Outlook add-on software that will encrypt an email message simply by the user clicking an icon.
Dropbox is a commonly used file-sharing tool, especially among small businesses. You set up a Dropbox account, upload files to it, and then tell Dropbox you authorize sharing files or folders with specified people. Dropbox will notify those people via email, they create their own account (if they don’t have one already), and can then view and download those files. Dropbox, and tools like it, use Secure Sockets Layer (SSL) technology and Transport Layer Security (TLS) to create a secure “tunnel.” Consider this beefed-up encryption. SSL and TLS are considered best practices and acceptable for most businesses.
Web portals are growing in popularity, and are especially useful in healthcare, financial services, and other industries with strict requirements like HIPAA. An individual is given a username and password to access an organization’s portal. People can send messages and upload documents within the portal while logged in via a secure (https) connection. Many businesses already have this capability with systems they already own, yet we find staff are still emailing sensitive stuff. As with so many things, it comes down to education and compliance. We’ve seen companies start including security practices as part of staff coaching, rewards, and performance evaluations.
Believe it or not, if you really can’t put one of the above in place, fax it. Faxing essentially encodes a picture of a document and transmits it on plain old telephone lines. For this and other reasons, it is not as susceptible to snooping. It’s also not a focus for cybercriminals. It has obvious downfalls that we don’t need to detail here (there’s a reason we all abandoned the thing), but it’s better than putting that “open envelope” out there.
As published in the August 2017 edition of the Traverse City Business News (TCBN)
September 26, 2023 in Security
September 26, 2023 in Security