Email mistakes happen to all of us. Who can truly say that they have never done a “reply to all”, accidentally selected the wrong auto-fill email address, mistakenly included confidential personal information in an email, or made a typo that completely changed the meaning of the message?
A Silver Sky report found that 98% of employees surveyed thought that their email habits were as secure as or more secure than their colleagues. The survey also found that 53% of respondents claim to have received sensitive private information in unencrypted emails, but only 17% admit to sending such emails. What gives? Perception vs. Reality, according to the study authors, as depicted in this infographic comparing bad email habits to bad driving habits.
Why the concern about email? Just think about the biggest email and security hacks the public has experienced. And since email lives in so many places – the sender’s computer, corporate email servers, Internet Service Provider’s (ISP) servers, on email service provider servers (for the sender and the receiver), the receiver’s corporate email servers, on the receiver’s computer – it makes for quite a number of targets!
The key to implementing a secure email policy for your business is to remember that even though email may seem like a private means of communication, it is NOT. Assume that any email can be read by anyone, and can never be deleted. With that premise, create a set of guidelines for yourself, and for your team, to clearly document the type of information can be safely transmitted via standard email, and how to securely send email if confidential information must be included in it.
While it is near impossible to create policies and procedures that prevent people from writing dumb and embarrassing email messages, the following tips will help you prevent email-based data security breaches:
- Never include bank account numbers or credit card numbers, or copies of voided or cancelled checks, in the email body, or send unencrypted attachments that include this information.
- Never include a social security number in the email body, or send unencrypted attachments that include social security numbers.
- Never send a non-temporary password in an email, even if the User ID is not included.
- It is ok to send a User ID via email, as long as there is not an associated password (even a temporary one) included in the email.
- Never send confidential company information via unencrypted email, whether it is in the email body or in the attachment.
If you do need to email PII (Personally Identifiable Information, such as a social security number), or you need to email confidential documents such as those containing your business plans, financial data, or intellectual property, be sure to use some form of encryption.
For attachments, you can encrypt and password protect the files themselves using free software such as 7-zip. Just don’t include the password for the attachment in the same email. You should call or text this information to the recipient.
Alternately, you can send a secure email that will encrypt your entire message, including the email body and any attachments. There are many options available for small businesses of any size. If your company uses Outlook, consider Microsoft Office 365 Message Encryption. Internet security companies such as Sophos, TrendMicro, and Symantec also provide encrypted email solutions.
Don’t let your small business fall victim to a data breach due to insecure email practices. Create a clear, easy to follow, secure email procedure for your small business. Then, make sure that everyone on your team both understands and follows it. That’s the best way to protect your company, and your customers.
See weekly Small Business Tips like this one by subscribing to our blog.