We all know email can be used for spam, and you may even know about phishing and other attacks. What we tend to forget is that when we send information via email, it can be open for the world to see.
It’s like sending a postcard.
Here’s the life of a typical business email to 1 person.
1 – The corporate network, your IT team
Your IT team will have access to all your emails, and they’ll back them up (possibly unencrypted), and yes, they’ll read them occasionally, if they’re bored, or just curious as to what their management is thinking. Additionally, 55% of US employers do actually monitor and read their employees’ email.
2 – The accidental forward or the wrong address
Woops – we’ve all done it (well certainly the US Air force has, when they sent air force 1′s flightpath to a webmaster, hundreds of times). And once you’ve done it, you can’t get it back. Let’s assume you sent it to the right people.
3 – Emails outside your business – the Internet
From here, we venture onto the big bad internet. First your ISP may be able to read it. Or your government has requested a ‘tap’, so they can see what you’re up to. Then your email is bounced around, usually with no encryption, through a series of ISP (Internet service providers) computers. If one of these special computers, or “routers” is hacked, then hackers can view all the traffic passing through it, including your email. Anyone of the tens of routers your email will pass through could be compromised, and someone may be interested in what you’re saying.
4 – The authorities
In the UK the Government has got the “Regulation of Investigatory Powers Act” which gives trustworthies like the Ambulance Services, The Department for Transport and local Councils the ability with a little paperwork, to take a look at our communications. In the US the government has been using the Stored Communications Act (SCA) to read private e-mails without a search warrant (also see Patriot act, Prism etc)
“Most unencrypted email is vulnerable to unauthorised access and alteration as it passes over the Internet.. Firms are recommended to adopt systems that… automatically encrypt all outgoing email to those offering similar facilities” The Law Society Email Guidelines 2005
5 – The recipient’s IT team
So the email makes your recipients servers. Again, their IT team may be interested in taking a peek, and they’ll take a backup, and perhaps their security isn’t as good as yours, so the emails may be now accessible via a weakly secured webmail for example. Or their backups aren’t encrypted.
6 – The recipient’s computer
It may be compromised, or backed up somewhere crazily insecure.
What can you do?
Until some sort of global email security standard can be setup and enforced, it’s best to use something else for anything sensitive. The Kremlin are using typewriters! There are plenty of commercial and free secure messaging and collaboration services out there. Our own safedrop is great for messaging.
Or move on from messaging, and start using a collaboration tool like projectfusion to capture casual content and collaborate securely.