How to send sensitive information by email. And isn’t there a better way?

Organizations and individuals should always be concerned about the security of their email correspondence. After all, everyone has probably been guilty at least once of sending a message to the wrong person or accidentally clicking ‘reply all’.

If you’re lucky, your misdelivered message didn’t reveal anything major, and at most you’ve apologized. Worse case scenario, you may have divulged some confidential information or sensitive data. Very often emails contain this data either in the text or in an attachment, which means that disclosure will also have significantly more substantial consequences.

Depending on the nature of the information disclosed, this could have serious financial or logistical implications for your business, pose nasty privacy implications for data subjects or companies, and expose your organisation or you directly to disciplinary action under the GDPR (General Data Protection Regulation).

Emails pose a security risk

While email communication is very convenient, it doesn’t offer much in the way of security. Experts often liken this type of communication to sending a letter: you create a message, enter a delivery address and hand it to someone to deliver. The message can then be delivered to someone else, but there are also another set of risks

For example, a cybercriminal could attack your account with a phishing scam. With the right approach, they could set up a system that would forward copies of any emails you sent to an attacker-controlled email address. This way they can read anything you’ve ever sent, which in practice includes all incoming emails, which may also be in outgoing messages for reference.

Although the vast majority of emails we send are completely innocuous, it only takes one intercepted email with sensitive data to cause a big problem.

Misconfiguration of the email inbox is also a risk

Similarly, employers should be concerned about misconfigurations on their email platforms. A flaw in an organization’s email service could allow a criminal hacker to connect to the email network without authentication and then send emails purporting to be an employee. They could then easily request sensitive data or need to request reimbursement for invoices.

So it is quite surprising that many companies use fax instead of e-mail. It’s an outdated technology that has never particularly caught on here, but legal documents, for example, can be sent this way.

The problem is that in order to communicate by fax, both parties need to have the machine. So, unfortunately, it is not very practical and we need to look more at new technologies that can protect the e-mails that are sent.

Encrypting emails

The GDPR does not recommend specific technologies (which is necessary to avoid redundancy when new systems are created), but it does make a few references to encryption. This is the process of encrypting information so that only an authorised user has access to it.

Organisations that handle large volumes of sensitive data often use encrypted email and some service providers, such as ProtonMail in Switzerland and Tutanota in Germany, offer these encryption services.

For most businesses or entrepreneurs, however, this technology will be impractical for email. For starters, most messages don’t contain information that would need to be encrypted, so they would just be wasting resources and spending money.

Sharing via cloud services

A very interesting way to store and distribute information is through cloud services that encrypt communications (beware, this may not be the case 100% of the time, so always check security and how your data is handled). Files or entire folders can easily be uploaded and the link sent to recipients. Should you accidentally send the link and immediately realize the mistake, you can delete the files immediately and a disaster can be avoided. Files should also be deleted after they have been successfully uploaded.

After all, the cloud is not an impenetrable fortress that automatically keeps all your information safe. It’s simply a server run by a third party that takes responsibility for keeping it secure. You would be liable for any breaches or data leaks too, but the service provider would be jointly liable if it was proven that the data was leaked due to their technical error. Cloud service providers therefore have a huge interest in ensuring that security is bulletproof and data is truly safe.

Related Articles

Back to top button