My business partner who handles our security practice constantly reminds our staff and our customers: Email is Not Secure.
This means that confidential business information, especially including passwords and/or account login information, should never be transmitted via regular email. Unfortunately, I frequently observe clients sending passwords and similar security-related information via email. I've lost track of how many times a customer has emailed me a password for some critical system, only to be surprised by a phone call from me telling them to change that password right now and call me back to let me know what it is.
It's not just criminals you need to be aware of. Since the Edward Snowdon affair, a number of U.S. government run surveillance programs have come to light. Today, the New York Times ran an article alleging that that the National Security Agency worked closely with AT&T to spy on internet traffic:
http://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html
Am I surprised? Not particularly. In terms of national security--real or perceived--whatever the NSA really wants access to, the NSA is going to get, and it's foolish to think otherwise. What I found more interesting in the article is the suggestion that AT&T provided internet data from its peering connections...meaning anything that crossed an AT&T internet junction to get to another destination, even if it was transmitted via a non-AT&T ISP line, was potentially inspected by the NSA.
For personal email, I happen to use Gmail extensively, for its cost (free), uptime (excellent), and connectivity to other applications and website (superb). However, I don't utilize Gmail for any type of confidential or secure transaction, and I'm pretty good at ignoring ads based on whatever I happen to be emailing someone about.
If the NSA (or Google) really wants to know the details of who I'm meeting for dinner, or what my spouse has asked me to pick up at the grocery store on the way home from work, they are quite welcome to the boring details of my life. This is somewhat akin to the "transparent life" movement; don't do anything online that you wouldn't want a total stranger to read about on Facebook.
Some of my acquaintances, however, feel very strongly that they want to maintain their privacy, even though their emails are no less innocent than mine. They've turned to more secure email systems such as SwissMail or ProtonMail (both based in Switzerland) or HushMail (based in Canada).
There's an intriguing Forbes article about ProtonMail here:
http://www.forbes.com/sites/hollieslade/2014/05/19/the-only-email-system-the-nsa-cant-access/
A number of other secure email alternatives can be found here, many of which I've never heard of:
http://www.techspot.com/article/896-secure-email-and-cloud-storage-services/
There are a number of systems to improve corporate email security. Most of them shunt marked-as-sensitive outgoing messages into a separate encrypted mail system which requires the recipients to create an account and log in to receive their email. The shunted outbound message is replaced with a plain text message indicating that a secure email is waiting for the recipient on thus-and-such a URL.
Sometimes this capability is built into existing systems. One of the lesser-known features of Barracuda Networks' anti-spam appliances is the ability to encrypt inbound and outbound emails using a system similar to what's described above. Encryption can be done automatically based on a number of message attributes, including sending or receiving domain or email address, or manually by inserting a specific keyword in the subject line (e.g., "[encrypted]").
Sometimes it's not the contents of the email that are sensitive, it's the attachments. If you have critical/proprietary/secret business documents, don't send them via regular email. Use a third party system such as Box.com. For a more complete list of similar systems, use your favorite search engine to look for "secure file transfer".
The other benefit of using a secure file transfer system is that it will reduce the size of your company's email database, and make your email adminstrators very happy. In nearly every client company, I've watched users routinely swap huge files via email not just with outsiders, but also internally. If you've ever wondered why your email system keeps taking up more and more disk space, this is one of the primary reasons.
There are also file sharing mechanisms that aren't necessarily marketed as "secure", but which are sold based on convenience. Most of these are probably secure "enough" for routine business files. These are typically sold as file synchronization products, which keep your files in the cloud and synchronize them to all of your various devices. However, they also allow sharing of your files with an outside person via an easy to copy and paste link. Box.com is one such system, as is Novell Filr, Barracuda CudaFile, SugarSync, Dropbox, and Code 42's CrashPlan. (Note: This is not intended to be a comprehensive list or an implicit endorsement; these are simply the products with which I'm most familiar.)
The point of all of this? Be aware that email is not secure, and treat it accordingly. If you have something sensitive to transmit, transmit it via a secure system...which will generally NOT be your personal or corporate email.
[Disclosure: My employer resells and/or utilizes Barracuda, Code 42, and Novell products and services. Neither I nor my employer have received compensation of any kind from any of the companies mentioned in this article, nor have any of those companies requested inclusion in this article.]
This means that confidential business information, especially including passwords and/or account login information, should never be transmitted via regular email. Unfortunately, I frequently observe clients sending passwords and similar security-related information via email. I've lost track of how many times a customer has emailed me a password for some critical system, only to be surprised by a phone call from me telling them to change that password right now and call me back to let me know what it is.
It's not just criminals you need to be aware of. Since the Edward Snowdon affair, a number of U.S. government run surveillance programs have come to light. Today, the New York Times ran an article alleging that that the National Security Agency worked closely with AT&T to spy on internet traffic:
http://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html
Am I surprised? Not particularly. In terms of national security--real or perceived--whatever the NSA really wants access to, the NSA is going to get, and it's foolish to think otherwise. What I found more interesting in the article is the suggestion that AT&T provided internet data from its peering connections...meaning anything that crossed an AT&T internet junction to get to another destination, even if it was transmitted via a non-AT&T ISP line, was potentially inspected by the NSA.
For personal email, I happen to use Gmail extensively, for its cost (free), uptime (excellent), and connectivity to other applications and website (superb). However, I don't utilize Gmail for any type of confidential or secure transaction, and I'm pretty good at ignoring ads based on whatever I happen to be emailing someone about.
If the NSA (or Google) really wants to know the details of who I'm meeting for dinner, or what my spouse has asked me to pick up at the grocery store on the way home from work, they are quite welcome to the boring details of my life. This is somewhat akin to the "transparent life" movement; don't do anything online that you wouldn't want a total stranger to read about on Facebook.
Some of my acquaintances, however, feel very strongly that they want to maintain their privacy, even though their emails are no less innocent than mine. They've turned to more secure email systems such as SwissMail or ProtonMail (both based in Switzerland) or HushMail (based in Canada).
There's an intriguing Forbes article about ProtonMail here:
http://www.forbes.com/sites/hollieslade/2014/05/19/the-only-email-system-the-nsa-cant-access/
A number of other secure email alternatives can be found here, many of which I've never heard of:
http://www.techspot.com/article/896-secure-email-and-cloud-storage-services/
There are a number of systems to improve corporate email security. Most of them shunt marked-as-sensitive outgoing messages into a separate encrypted mail system which requires the recipients to create an account and log in to receive their email. The shunted outbound message is replaced with a plain text message indicating that a secure email is waiting for the recipient on thus-and-such a URL.
Sometimes this capability is built into existing systems. One of the lesser-known features of Barracuda Networks' anti-spam appliances is the ability to encrypt inbound and outbound emails using a system similar to what's described above. Encryption can be done automatically based on a number of message attributes, including sending or receiving domain or email address, or manually by inserting a specific keyword in the subject line (e.g., "[encrypted]").
Sometimes it's not the contents of the email that are sensitive, it's the attachments. If you have critical/proprietary/secret business documents, don't send them via regular email. Use a third party system such as Box.com. For a more complete list of similar systems, use your favorite search engine to look for "secure file transfer".
The other benefit of using a secure file transfer system is that it will reduce the size of your company's email database, and make your email adminstrators very happy. In nearly every client company, I've watched users routinely swap huge files via email not just with outsiders, but also internally. If you've ever wondered why your email system keeps taking up more and more disk space, this is one of the primary reasons.
There are also file sharing mechanisms that aren't necessarily marketed as "secure", but which are sold based on convenience. Most of these are probably secure "enough" for routine business files. These are typically sold as file synchronization products, which keep your files in the cloud and synchronize them to all of your various devices. However, they also allow sharing of your files with an outside person via an easy to copy and paste link. Box.com is one such system, as is Novell Filr, Barracuda CudaFile, SugarSync, Dropbox, and Code 42's CrashPlan. (Note: This is not intended to be a comprehensive list or an implicit endorsement; these are simply the products with which I'm most familiar.)
The point of all of this? Be aware that email is not secure, and treat it accordingly. If you have something sensitive to transmit, transmit it via a secure system...which will generally NOT be your personal or corporate email.
[Disclosure: My employer resells and/or utilizes Barracuda, Code 42, and Novell products and services. Neither I nor my employer have received compensation of any kind from any of the companies mentioned in this article, nor have any of those companies requested inclusion in this article.]