Here’s a scenario: You are sending a confidential email to an employee at another company that’s based overseas. You need to share the information with the person at that company, but you don’t want the information to get out beyond that connection. How many organizations will have access to that email?
Answer: More than you would like!
Let’s set up the scenario, and break down who might have
access.
Your company uses Microsoft Office 365 for email, and the
receiver uses Google’s G Suite. That means there are copies of your emails with
both Microsoft and Google.
So here’s the thing: both of these companies use different
third-party email scanning tools. Those companies have or had access to your email.
Somebody has been able to peer in while operating the security infrastructure
of each platform, even if a lot of the scanning is automated.
Seconds after you pressed ‘send,’ four organizations had
access to your email! That’s not all, though – there actually might be more.
Does Google or Microsoft use third party data processors? Do they partner with
email scanning vendors? Sure, they may say all of their vendors have “the same
commitment to privacy and security” and everybody is conversant in GDPR. That
still means all of those parties have access. It’s just what they do with it
that is governed by privacy rules.
In addition, both parties on each end of the pipeline use
desktop and mobile email, so there are copies of your data with those devices.
But wait, there’s more…
Your counterpart uses lots of email integration tools for
better managing email. It turns out that several other companies have access to
the email! Yes, the kinds of optimization tools that offer us streamlined CRM (Customer
Relationship Management) and good data insight also port data to various
parties, increasing the footprint of who has access. This is turning into quite
a crowd!
Then there’s the cloud. Both of your organizations back up
the email to different cloud services. It might be public, private or hybrid
cloud. They might use edge computing or cloud gateways. The bottom line is:
while cloud offers the convenience and value of porting information through the
global internet, it also gives those vendors additional seats at the table when
it comes to access. That’s why, in the early days of the cloud, so many
executives and other skeptics spent so much time looking at the vendors’
security practices. They didn’t just take the vendor’s word for it. Now, a lot
of people have calmed down on cloud security. That doesn’t mean there aren’t
any remaining concerns!
Let’s keep going.
Other people who may
have access:
- Both organizations have administrators who can
get access to the email.
- Your counterpart gives email access to his admin
team.
- His wife sometimes has access to his phone.
- He forwarded the email to one of his colleagues,
which subjects the email to even more copies!
- You don’t know it, but your recipient is also party
to a legal action, and his email is subject to government subpoena!
Some of these aren’t even on the radar for most of us. How
would you know if a lawyer was peering over somebody’s shoulder? You wouldn’t –
until some kind of glitch happens.
Likewise, with the wife and husband stuff.
Challenge Summary
In summary, there are somewhere between 10 and 100 copies of
the confidential email that you sent floating around the web. All copies are
subject to both legal subpoenas and illegal hacking… now how confident do you
feel about the confidential information that you sent?
Email is inherently prolific: in other words, there are
always copies being made. Between the cloud services, device copies, backups,
and the number of parties involved, the number of copies swells easily.
There has to be a better way!
Confidential Message
Best Practices:
There are several ways to improve privacy with your
sensitive messaging, without resorting to sending messages via carrier pigeon.
- Use secure email features such as G Suite Confidential mode. It is a tool Google provides to restrict the ability to copy, print, or download the email. You can also expire the email and require an SMS passcode to access it.
- Don’t send the content in email. Keep the confidential part in a shared repository like Office 365 OneDrive or Google Drive and send a link. (There are still copies, just fewer of them and you, in theory, have more control.)
- Don’t send the content in email. Use a secure messaging tool like Signal to transmit confidential information. Signal allows users to message, have voice and video calls with the content encrypted from end-to-end.
- Don’t send the content in email. Physically mail
it or tell in person. But you can use the mail service and don’t need the
carrier pigeon!
Summary
Email is handy, but without good oversight, your data ends
up all over the place! Use these common-sense tips to play it closer to the
vest with what you send.
If you would like help with your cybersecurity strategy or
program, give Fractional CISO a
call for a complimentary consultation. We can be reached at (617) 658- 3276 or
by email at [email protected].