Keep your business e-mail private

Avoid embarassing and potentially legally damaging security lapses

What are the consequences if you e-mail sensitive business information, such as financial statements or a report with evidence of employee wrongdoing, and it falls into the wrong hands?

At the very least, the security lapse would be embarrassing. There could also be more serious legal repercussions.

The question arose with one of my clients when their favourite translation firm closed its local office. Due to the quick turnaround times required, it was no longer feasible to courier discs with highly sensitive documents to and from the translators. But if they began sending the documents by e-mail, how could they ensure that only authorized personnel could read the messages?

Sending standard e-mail has all the privacy (or lack thereof) of dropping a postcard in the corner mailbox. Yet it's possible to virtually eliminate this security weakness by using secure e-mail.

You can implement secure e-mail using a widely accepted security certificate for little cost. Most major e-mail clients support security certificates for POP3 accounts, but this form of secure e-mail is not designed for use with most Web-based accounts.

The trouble with standard e-mail

There is more than one security issue with standard e-mail. Some e-mail programs automatically fill in the intended recipient's e-mail address based upon the name entered in the "To" box. But this can be problematic. A message intended for John Blacksmith may be addressed to the John Black in your address book, unless you catch the error in time.

Furthermore, an e-mail message typically travels a circuitous path along the Internet. It may temporarily reside on more than one intermediate server, taking several hops to reach its final destination. At any point along the route someone can intercept and read the message. How can you perform the electronic equivalent of sealing and registering a letter?

What makes e-mail secure?

There are two main objectives in securing e-mail: to verify the identity of the sender, and to ensure that only the authorized recipient can read the message.

A security certificate, such as a Digital ID, is attached to the e-mail message and verifies that the e-mail originated with the sender and has not been altered along its route. E-mail clients such as Microsoft's Outlook and Outlook Express tag messages that have a Digital ID with a distinctive badge.

A Digital ID identifies a specific e-mail address and is usually issued by a trusted authority. The cost is modest: I checked several Digital ID authorities and found that charges ranged from free to US$25 per e-mail address.

Page Break

Digital ID certification authorities

If you use Microsoft Windows, it's usually most convenient to install the certificate using a Web browser. All authorities support recent versions of Internet Explorer. Once your Digital ID is installed on your PC, it can be passed on to an e-mail program such as Outlook.

Your Digital ID may also be used to sign documents created by other security-aware applications, such as recent versions of Microsoft Word and Excel and Adobe Acrobat.

If you require more than fifty or so Digital IDs, it may make more sense to administer them in-house by acquiring a corporate e-mail certificate and in-house Public Key Infrastructure product. Several authorities offer these products.

A Comodo Digital ID is free for personal use and costs US$20 per year for business use. Comodo provides straightforward instructions for creating and installing a Digital ID that is accepted by most e-mail clients. If you use Comodo, however, be sure your spam filter whitelists, since there is no easy way to ask Comodo to re-send a certificate confirmation e-mail.

I also recommend Verisign , which costs US$20 per year. A free 60-day trial edition is available. The Verisign certificate is widely accepted by e-mail applications and easy to install.

Thawte offers a free Digital ID with no expiration date. However, your name is not attached to the basic certificate; if you want it to be, you must follow a time-consuming procedure and meet several Thawte notaries. Alternatively, you can pay Thawte a one-time fee of US$25 and get two trusted parties such as an attorney, certified public accountant, or bank manager to confirm your identity. In either case, this sounds like too much work.

WildID is free, but it requires you to reregister once a month. Furthermore, most e-mail clients do not accept its certificate, by default: It essentially amounts to a self-issued certificate. That may be fine for personal use between a few friends, but I wouldn't recommend using it for business purposes.

For your recipient's eyes only

Installing a Digital ID will authenticate your identity and verify the integrity of your e-mail message. But how do you ensure that only an authorized recipient can read your e-mail?

Once you acquire a Digital ID, the e-mail message body and attachments can be encrypted using the S/MIME (Secure Multipurpose Internet Mail Extensions) standard -- your e-mail client must support it in order for this process to work. S/MIME encryption ensures that if the e-mail falls into the wrong hands, the contents will be gobbledygook. The e-mail address and subject of an e-mail are not encrypted and remain in the clear.

The system works using Public-Key Cryptography, which features a two-part encryption key. One part of the key remains private and stays on your PC. You share the public key (which is built into your Digital ID) with persons with whom you wish to communicate. Just send them an e-mail with your Digital ID attached. The recipient of the e-mail must also have a Digital ID and an e-mail client with S/MIME to support encrypted communications.

Is setting up secure e-mail worth a few bucks and ten minutes of your time? If you send sensitive information via e-mail, it's a cheap way to ensure that it's tamper-proof.