Dirty Lies You Were Told About Email Security

July 25, 2014
Kevin Lam

I was helping out a custoemaillogosmer this week figure out some server issues on their side (not related to our service thankfully).  I was just about to call them and ask for the password when I see two emails land in my inbox.  One with their username and the second with their password.  Really bad idea. I let the customer know and advised him to change his password immediately. He did, but he also shared with me “I was told that it was secure to do that” (it’s not).

In this week’s Data Protection Friday article, I’ll cover common email security lies and myths that you’ve been told and why. At the end, I’ll show you a dead simple way to encrypt email that won’t cost you a thing.

Lie #1: “Email is secure”

Let’s start with the most obvious lie: email is secure. In order to protect data by today’s standards, you must protect that data in the following scenarios:

  • At rest.  This means how the data is protected when it is stored on a server or workstation.
  • In transit. This means how the data is protected when it’s being transmitted across a network.

Just think of sending email like driving across the US from California to New York. To get to New York you need to cross a whole bunch of states and it’s the same with email.  To get to its final destination, your email (you know the one you just sent with your customer’s social security numbers) has to cross a bunch of networks and servers, and it’s not just one either. Some of those networks and servers might protect your email with encryption, but there’s no guarantee that all will.

Lie #2: “Email requires a password, so it’s secure”

Not true.  Sure, you need to enter in your username and password in order to access your inbox. But that just protects who can access your inbox, it doesn’t mean that when you send an email containing sensitive information like SSNs or passwords that it’ll remain secure. Your password has nothing to do with how your email is protected after you hit the send button.

Lie #3: “Email providers use encryption, so it’s secure”

That’s great, good on your email provider. But in order for the email that you just sent to remain secure, every other provider that your provider communicates with also needs to use encryption, and every other provider that provider communicates with has too, etc. And there’s no guarantee of that.

Lie #4: “Cloud-based email is secure”

Another lie. Cloud-based email is the same as traditional email, except instead of the email server being located and managed at your office or company, it’s hosted and managed by someone else.  It’s the same protocol, same sending and receiving protocol as before. “Cloudifying” if that’s a real world won’t make a difference.

Lie #5: “As long as it’s not Microsoft email, then it’s secure”

Microsoft has nothing to do with email being secure or not.  Email is a standard protocol, the fact that an email is sent via a service provided by Microsoft, Google, Yahoo or Joe’s IT company doesn’t make a difference to the security of that email.  It’s like speaking a language like English, the US, Canada or Europe didn’t invent it, but everyone understands it.

How to Send Encrypted Email (for Free)

Now that you know about common lies and myths about email security, it’s time to get to the real meat. Here’s an article I wrote on how you can send encrypted email with the software you probably already have on your computer right now.

Alright, that’s it for this week’s Data Protection Friday article. Thanks for reading and see you next Friday,

Kevin Lam signature

–Kevin