How many organizations have access to my email?

Published on 11th September 2019

Here’s a scenario: You are sending a confidential email to an employee at another company that’s based overseas. You need to share the information with the person at that company, but you don’t want the information to get out beyond that connection. How many organizations will have access to that email?

Answer: More than you would like!

Let’s set up the scenario, and break down who might have access.

Your company uses Microsoft Office 365 for email, and the receiver uses Google’s G Suite. That means there are copies of your emails with both Microsoft and Google.

So here’s the thing: both of these companies use different third-party email scanning tools. Those companies have or had access to your email. Somebody has been able to peer in while operating the security infrastructure of each platform, even if a lot of the scanning is automated.

Seconds after you pressed ‘send,’ four organizations had access to your email! That’s not all, though – there actually might be more. Does Google or Microsoft use third party data processors? Do they partner with email scanning vendors? Sure, they may say all of their vendors have “the same commitment to privacy and security” and everybody is conversant in GDPR. That still means all of those parties have access. It’s just what they do with it that is governed by privacy rules.

In addition, both parties on each end of the pipeline use desktop and mobile email, so there are copies of your data with those devices.

But wait, there’s more…

Your counterpart uses lots of email integration tools for better managing email. It turns out that several other companies have access to the email! Yes, the kinds of optimization tools that offer us streamlined CRM (Customer Relationship Management) and good data insight also port data to various parties, increasing the footprint of who has access. This is turning into quite a crowd!

Then there’s the cloud. Both of your organizations back up the email to different cloud services. It might be public, private or hybrid cloud. They might use edge computing or cloud gateways. The bottom line is: while cloud offers the convenience and value of porting information through the global internet, it also gives those vendors additional seats at the table when it comes to access. That’s why, in the early days of the cloud, so many executives and other skeptics spent so much time looking at the vendors’ security practices. They didn’t just take the vendor’s word for it. Now, a lot of people have calmed down on cloud security. That doesn’t mean there aren’t any remaining concerns!

Let’s keep going.

Other people who may have access:

Both organizations have administrators who can get access to the email.

Your counterpart gives email access to his admin team.

His wife sometimes has access to his phone.

He forwarded the email to one of his colleagues, which subjects the email to even more copies!

You don’t know it, but your recipient is also party to a legal action, and his email is subject to government subpoena!

Some of these aren’t even on the radar for most of us. How would you know if a lawyer was peering over somebody’s shoulder? You wouldn’t – until some kind of glitch happens.

Likewise, with the wife and husband stuff.

Challenge Summary

In summary, there are somewhere between 10 and 100 copies of the confidential email that you sent floating around the web. All copies are subject to both legal subpoenas and illegal hacking… now how confident do you feel about the confidential information that you sent?

Email is inherently prolific: in other words, there are always copies being made. Between the cloud services, device copies, backups, and the number of parties involved, the number of copies swells easily.

There has to be a better way!

Confidential Message Best Practices:

There are several ways to improve privacy with your sensitive messaging, without resorting to sending messages via carrier pigeon.

Use secure email features such as G Suite Confidential mode. It is a tool Google provides to restrict the ability to copy, print, or download the email. You can also expire the email and require an SMS passcode to access it.

Don’t send the content in email. Keep the confidential part in a shared repository like Office 365 OneDrive or Google Drive and send a link. (There are still copies, just fewer of them and you, in theory, have more control.)
Don’t send the content in email. Use a secure messaging tool like Signal to transmit confidential information. Signal allows users to message, have voice and video calls with the content encrypted from end-to-end.

Don’t send the content in email. Physically mail it or tell in person. But you can use the mail service and don’t need the carrier pigeon!

Summary

Email is handy, but without good oversight, your data ends up all over the place! Use these common-sense tips to play it closer to the vest with what you send.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].