Email is still the default way businesses communicate, but in a world rife with hacks and exploits, is email still safe?
Email is the default communication tool of choice for the vast majority of small, medium and large businesses. Twenty years ago, initial communication would be made by phone, faxes would be exchanged and original documents would be sent through the postal system. Email made life so much easier. Email solved everything, and we embraced it fully. But should we still be using email in business?
Obviously the answer is “yes”, because that's what everyone else does, and your primary goal is probably to communicate with the minimum of fuss. But email isn't ideal for every type of message you want to send – and it certainly isn't secure. Thankfully there are alternatives, but can you use them with those who are potentially wed to email for life?
Show me your secrets
Email is like a postcard being sent (albeit very quickly) through the mail. Every person (or computer) who handles the message can read it. There's no envelope to obscure the message or keep its contents safe. This means that sensitive information is exposed.
You have no secrets? I dare you to send copies of every letter and other correspondence that's passed between you and your company's accountant or chief Financial Officer to Pastebin.com. It's nobody else's business how you set up your company's pension system or how you structure your accounts. And I can almost guarantee that someone in your organisation has sent a password to a business system over email at some stage. This is sensitive information that needs to be protected.
The obvious fix is to use encryption, but this is challenging even for IT professionals. Normal office workers struggle with products such as the oft-recommended GnuPG or PGP encryption products. Even security geeks struggle with it – have you tried using PGP on a smartphone?
Some email providers have woken up to the problems with email security and now provide encrypted connections, so when you send a message from, for instance, a Starbucks WiFi network it's moved to the email server in such a way that other users won't be able to read the email or intercept your password. But once the email begins its travels over the internet, it will likely pass through unencrypted connections, at which point any information in the message is exposed.
Even if you're an email security ninja, and have no problem juggling public and private GnuPG/PGP keys, your fellow correspondents will almost certainly lack your expertise. It's guaranteed that at some stage someone will reply to your encrypted email and quote the clear text version of your secret message back to you, rendering your efforts useless and potentially flagging up that content as being particularly interesting (because you originally encrypted it, so it might contain juicy details)!
CC: Janet, John, Topsy, Tim, Bob, Alice, Eve…
Email's convenience is so great that we often forget about its shortcomings. And these aren't all about security. If you're working on multiple projects with different groups of people, you should think twice about relying solely on email. It's hard enough to follow an email thread with a few people contributing and replying to all. It becomes hard to track the conversation because replies don't always appear in a logical order.
For example, someone might write their reply while offline. Their message turns up later, after other people have contributed to the discussion. This can cause confusion at best. If people don't pick through the timestamps of each message carefully, the scope for miscommunication is vast. Alternatively, if enough people are being CC'd, there's a temptation to ignore the entire thread because clearly someone is paying attention to whatever issues are being discussed and you can quietly get on with other things. Then you have a communication breakdown.
Easier paths to security
So what's the answer? You can still use email, but maybe not for everything. If you want to send a private document to someone, enclose it in a password-protected ZIP file and send that by email or, even better, share a link to it using a file-sharing service such as Dropbox and your email storage allowance will be impacted less. In both cases, you can share the password via some other means, such as text message.
Text messages (SMS) aren't secure either, but if you send a password-protected file by email and a password by SMS, you have at least split the two. This limits your exposure to all but very dedicated surveillants. And you can make SMS secure if both you and your colleague use encryption software. If you both use smartphones, this is remarkably easy in comparison to encrypting email. Install an app such as Signal and, when you first send a message to a specific contact, click the Invite To Signal box that appears to insert a link to the software. When you both have it installed, you won't even notice you're using it.
SilentCircle's privacy-championing smartphone, Blackphone
RIP IRC; long live IRC
If you want to collaborate easily, use a tool such as Slack or Ryver, both of which are good for sharing information about multiple projects between multiple people. Both sites are a modern, web-based take on Internet Relay Chat (IRC) but with added benefits. It's easier to search for specific notes and events than with email, and the order of different people's responses is usually very clear. Both services encrypt connections to the server with the Secure Sockets Layer (SSL) standard, so all messages will flow safely over the internet.
If someone learns your username and password, however, your whole message archive will be exposed. Choose a service that supports two-factor authentication (2FA), even if it simply involves a verification code sent by SMS. Slack supports this and a number of authentication apps such as Google's excellent Authenticator. Ryver does not appear to support two-factor authentication yet, which makes Slack more attractive from a security perspective.
Bear in mind that any web-based tool, whether using HTTPS and 2FA or not, could be hacked. Don't share important passwords or other very sensitive data using collaboration tools that store data online. Sometimes nothing beats a meeting in real life for exchanging secrets (mackintoshs optional) but, if you can't manage that, Signal also supports encrypted phone calls.
[Image: J Aaron Farr - Flickr]