2016

Email is a communication medium that is used by nearly everyone on the Internet. It’s one of the few protocols so widely used, second only to maybe HTTP. That is the power of email. Everyone has it and uses it.

But the security of email is a topic that is often misunderstood. This is largely because there is no single answer to the question, “how secure is an email message?” As a general rule of thumb, by default it should be treated as a very insecure medium of communication. There are ways to secure your email but let’s start out with a discussion of the different pieces at play.

How secure is the email message content?

When discussing the security of an email message, you need to break it up into two pieces. First comes the content of the email message itself.

The most insecure parts of an email message are the sender, recipient, and subject of the message. This information is extremely insecure and visible to anyone who touches the message. Think of it like the names and addresses on the outside of a mail envelope. So you should treat these parts carefully because even if you are using encryption on the email message itself, which we’ll discuss later, these components will not be protected.

This is the virtual envelope with your content on the inside. If you were to come across a letter, how easy would it be to view what’s inside? Not that hard, right? You simply open the envelope. Email messages, by default, are no different. While in transit and once they get to their destination, email messages are like envelopes that anyone with access can open and view the contents.

How secure are email transmissions?

The second aspect of email message security is the transmission of messages from the sender to the recipient. This area is very misunderstood. By default, you have very little control over how a message is handled in transit. Sure, you can make sure your email client is using SSL or TLS when connecting to send the message, and you should, but once you hand it off to the first email server, you are also handing over control on how that message is handled from that point on. Depending on who you are sending the message to it may or may not be transmitted using encrypted connections from hop to hop. This essentially means that the contents of your message could be openly transmitted over the Internet by a bad email provider or ISP. And when this happens, an unencrypted message could be viewed by telcos, ISPs, or government organizations.

Any decent email hosting company will use encrypted connections when receiving and sending email to other email hosts. At Mailprotector, we always default to using TLS encryption for all email message transmissions. Unfortunately many other email hosting companies still don’t support encrypted connections, so whenever you send a message, you have to consider the possibility that it isn’t going to be transmitted securely.

How to make your email more secure

So now we know why email is, by default, a very insecure communication method. But there are ways to make it more secure.

Check your email client settings

Start by checking your email client settings to make sure you are using SSL or TLS in your inbound (receiving) and outbound (sending) connections. Any competent email provider offers this option and if yours doesn’t, switch to one that does immediately. Setting your client to use a secure connection is especially important when using public networks or wifi (like you find at Starbucks) or when on an airplane. Take this recent story by Steven Petrow, a reporter who had his emails hacked mid-air while writing an Apple-FBI story…now that’s irony.

“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.” He had verbatim detail of a long email that he repeated back to me essentially word for word.

The victim in this example wasn’t using a virtual private network (VPN) or even SSL/TLS connections when sending and receiving his emails. If you were in a similar situation, anyone on the same network as you could use software to capture the data being transmitted and view it since the data isn’t encrypted. Using SSL/TLS options for sending and receiving email is the bare minimum protection you should have on public networks. Ideally, you should also be using a VPN to protect any data you are transmitting while on public networks.

Look into full encryption options

If the security of your email is a high enough priority, you should also consider encrypting the content of the email messages you send. These technologies protect the actual content inside the message. Based on the mail analogy cited earlier, if someone were to get a hold of your encrypted email message, they wouldn’t be able to view or understand the content. It would be like opening a letter written in code.

A couple of methods for encrypting email content are S/MIME and PGP. However, there is a downside to both of these technologies. Each requires the sender and recipient to exchange encryption keys prior to sending an encrypted message. So there is a barrier to using these technologies and managing the keys can become frustrating. There are better options available.

At Mailprotector, for instance, we offer a way to make email encryption much easier with our Bracket Encrypted Email service. Not everyone needs this level of security, but some people do. Bracket lets you securely send encrypted email containing corporate and financial data, personal info, legal docs, medical records, but it’s much easier for people to use.

Summary: 3 steps to improve email privacy

1. Check your email client settings to make sure you’re sending and receiving email over encrypted connections
2. Ask your email provider if they encrypt all email in and out of their networks, and if they don’t find one who does (hint, hint)
3. Look into the possibility of utilizing full email encryption options

So while email remains one of the most popular and useful communication mediums, it can be quite insecure by default. That said, you do have options when improving the security of your email.

The goal is your destination. The system is your vehicle.

The key to accomplishing something significant is not in the large success but in the small successes. These small successes are based on the habits that will continually move you towards accomplishing your goal.

Most people think the secret of goals is to simply set a big goal and then everything else will just magically happen. They aim high and then never take the first step because it seems too big. They view accomplishing the goal as one giant step. This is where most goals fizzle out.

There is an important piece missing here. It’s not enough to just aim for something. Creating a system is the key.

I think there is a place for both goals and systems. However, they work better together than they do separately. You need to set goals to know where you want to go. But setting goals is not enough. You need to have a system that will get you there. The goal is your destination. The system is your vehicle.

The system should be actionable steps that you can consistently perform to move you toward your goal. These consistent steps will form habits. Those habits are the foundation for your system. Once you have a goal, work backwards to determine the habits that will are required to take you to your goal.

Systems people succeed every time they apply their systems, not only when they hit their ultimate goal. These small successes create momentum. And momentum is a powerful thing.