Images
Who Else is Reading Your Email?
June 21, 2011
It seems an understatement to claim that email has long surpassed a paper letter as the preferred way of written communication. According to the US Postal Service, during the first quarter of 2010, they processed nearly 475,000 pieces of both first class and standard mail everyday [http://www.usps.com/financials/_pdf/QSR_FY10QT1.pdf]. However, according to the Radacati Group, emails sent in 2009 pushed nearly 247 billion per day or 2.8 million emails per second. By factoring the assumption that at least 90% of all email is SPAM email, then an estimated 280,000 emails per second are actually legitimate communications. Therefore, in 2 seconds, the world sends more email than the US Postal Service does in an entire day. Clearly, email is the way we communicate in writing.
However, there is a significant catch to this convenient electronic communication. The letter sent by the post office is customarily sealed by the sender, and the recipient must break the seal to open the letter. Thus, the recipient visibly knows it has not been read. Unfortunately, no such assurances exist with email. Email's equivalence of a post office is not a first class sealed letter. Sadly, the best parallel to understand the real security of email is to consider it to be an electronic postcard. We understand that when we send a postcard, the mailman, the mail processor, and anyone else who happens to touch that postcard could simply read it. This is a direct comparison to the reality of email.
Many users believe email to be secure by design, and that is simply not true.The SMTP protocol [the standard internet mail delivery system] is not secure and if you send an email, you may not assume its confidentiality along the way. The email may be touched out of necessity multiple times along its journey. Several ways exist for a hacker to capture email traffic silently. Therefore, if you are sending emails with confidential information, you should either refrain from doing so or implement some form of email encryption to protect your data and your business from the associated risks of data leaks via email. Encryption is the only practical way to accomplish this. Toward that end, the 415 Group is a consulting partner with PGP encryption software, although there are other options available as well.
The concluding point is simply this: one would never send confidential information in a post card, yet the exact same thing happens daily from the computer desktop. Remember, email, though convenient, has a major downside. The possible repercussions of emailing confidential information are significant, so take care to avoid those pitfalls.
by: David H. Besse, MCSE, CISSP, CISA
