A few weeks ago my business friend, Steve told me he was signing up for a conference that I might be interested in attending. It’s a national conference hosted by a pretty big company. Upon checking out the conference I thought it would be a pretty good conference to attend. I clicked the register link to see my options and was horrified by what I saw. One of the options was to fill out a PDF and email in your registration. Not Fax, email it. They wanted Credit Card Information, Company Information, some personal information, and a digital signature. I closed the PDF and immediately called Steve to see how he registered. Luckily he registered through the site and submitted his info over a secure connection. But he was confused as to why I was so livid about the register by email option.
When I told him email is not secure what so ever and is one of the most hacked area’s in the Internet world, he agreed but I could tell in his voice he didn’t believe me. So I asked Steve to tell me about his email accounts. He uses a standard email program like Outlook or Thunderbird. He pulls in three email accounts. One from his business, (a .com), two personal accounts from free email services such as GMAIL, Hotmail, or Yahoo. He was keeping his email on each email server for about 10 days before his email program deleted it, which is normal.
I then asked Steve to tell me about the last ten days worth of email (email that would still be on the server). Besides all the promo/marketing emails, he had a bunch of email from his clients, and several emails that contained login info. A gold mine of information.
Then Steve admitted to me that his one email accounts was hacked about a year ago! The hacker sent out a bunch of spam emails but they could have gotten access to a lot more. The hacker had access to a good chunk of Steve’s emails. They could have gotten access to his accounts on Amazon, eBay, PayPal, and more. It clicked for him as to why I was so livid about the email registration option. All the hacker would have had to do is open up some of his emails… That’s all any one would have to do.
It doesn’t take much to get into an email account due to a weak password, a virus, hacking into the server, or a disgruntle or nosey co-worker that has access to your server. Once in, what do they have access to? Emails from clients, username and passwords to sites, private information, you name it. They could even setup a forward to collect your emails and you wouldn’t be the wiser.
Email is not secure. Period. It is rarely sent and received through a secure connection, it is rarely encrypted, lives on the server or a computer for way too long, and more people could have access to it then you think. The bottom line is don’t send any sensitive data through email, EVER and don’t send any thing you wouldn’t want some one else to read.
Then it got me thinking, if this company is that oblivious or lazy about security what other security holes do they have? Will my data actually be safe with them?
It doesn’t take much to be secure.
- Create strong passwords. Don’t use one word dictionary passwords. Use a minimum combination of 8 alpha-numeric characters. ip2adr Or a 4 word sentence.
- Don’t send or receive sensitive data. If you wouldn’t feel comfortable letting some one else read your emails then don’t send it.
- Make sure to clean up old emails, delete them from your Deleted Folder both on your computer and on the server.
- Be aware of who has access to your email accounts. Make sure they are people you can trust.
- Setup surprise security audits on a regular basis.
- If you are storing information make sure it is encrypted and protected.
- Make sure you have firewalls, anti-virus, and other security software in place, update to date and running.
- If you want to learn more do some Internet searches for “Email Security Best Practices” and “Creating a Security Audit”. Or find a security consultant that can help you.
Taking these extra steps I often hear people complain that it complicates things or makes accessing their data difficult. To those people I respond,
- What would happen if your merchant account or the credit card companies found out you were dealing with credit card information in a non secure way? Answer, you would lose your merchant account and possible be blacklisted from being able to accept certain types of credit cards, until the issues are fixed.
- What would happen to your company if you had a breach of security and lost client information? For most big companies it’s pretty damaging both to their profits and in customer relations. For smaller companies it can destroy the company.
- How would your clients feel?
- How would you feel if a company you did business with had a breach of security and fraud was committed with your lost information?
This article isn’t meant to scare you into never using email again. It is meant to help you realize the limits of what you should use email for and what you should do to protect yourself and your clients. Think of security as a form of insurance. Protect yourself while protect others.