One of the most common fallacies about internal, corporate email systems is that they are secure. All the communication stays within the firewall so it’s all ducky right? Yeah, not so much. It doesn’t matter if you’re using Lotus Notes or Exchange or even just IMAP/POP for internal email, they all suffer from the same problems. Here at eCrypt we’re working on solving those problems in the easiest, most straightforward ways possible, but let’s talk about the problems themselves first so you can understand where we’re coming from.
Internal servers are open to IT staff
Part of being in corporate IT is being able to administer the servers. Part of administration is having access to everything on that server. If we’re talking about a mail server, that means that your basic IT system administrator can read, copy, even delete messages from the server. Sometimes this is essential to doing their job, like when a ginormous email is stuck uploading and needs to be deleted, so you don’t want to take that power away from them. The problem is that people are susceptible to all sorts of temptations. Maybe your competitor finds a sys admin that has a little debt problem and offers enough money to fix it. Fix it in exchange for pulling off all the communications to and from the executive team and sending the emails to them.
Think this can’t happen? I have one word for you: Wikileaks.
Even if your email is encrypted to and from the recipient, sometimes there is an unencrypted copy stored on the server too. Oh and if the email is encrypted, sometimes attached files are not. The email might be boring, but I’m sure the spreadsheet with sales projections isn’t.
Road warriors connecting insecurely
Companies want their employees to be able to keep up with goings on while away from the office. Maybe it’s working at home or on the road or at a conference. Telework and remote work is an essential part of doing business today (all of us at eCrypt work from our own home offices a large part of the time). This convenience can come at a high price though. Unless you require employees to connect through a secure VPN before being able to send and receive corporate emails, your employees might be using just any old WiFi connection they can get to connect. Convenient yes, secure, no. While connected to an insecure hotspot the scalliwags of the Internet can be intercepting usernames, passwords, files, and entire emails from unsuspecting users. Remember Firesheep? Yeah that’s just the tip of the iceberg.
Yes, having connections secured with SSL (the url showing https) is a great start, but it isn’t the entire picture. Starting with an insecure connection is just asking for trouble We all know it, but we don’t often do much about it.
These aren’t the only issues
I’ve hit on just two of the biggest issues that face corporate email. These don’t include stealing laptops or phones, bad passwords, or poorly configured security. At eCrypt we’re working on solutions to ensure that not only is your email encrypted in transit but also is stored encrypted on the server. Sure a sys admin can grab files, but they are useless. We believe as well that securing your emails should be drop, dead easy. No additional software. No creating new email addresses to use.
We know that if you make security hard, cumbersome, or too geeky that people won’t use it. We think it’s time that we change that model so that everyone can encrypt and secure information when they need to and that it shouldn’t be expensive to do. Because sometimes, you just need to keep something secret.