I met with an IT friend of mine and we had a discussion about security and email. I have been recommending that everyone uses SSL or TLS to connect to their server when they are reading or writing emails.
Using SSL or TLS secures your connection to your server and ensures that your login details cannot be compromised by a third party. Email programs that do not use SSL or TLS send the login details in plain text. If this was intercepted by a third party, then the password details could be read, and a potential spammer could use your SMTP (sending email server) to send out lots of spam messages. Or read your mail and access your account.
Once your email has reached your sending server, it may then be handled in plain text across the internet over multiple hops (Mail Relays) to the destination server, because that connection is generally not encrypted.
There are several systems out there, and they all need to play nicely together, but the bottom line is we should consider at the worse case all email to be insecure. Even though we may be applying best practices at the send and receive server end of the system.
Can I get secure email?
It is possibly to get secure email and encrypt it before it is sent. However the receiving system also needs to support the decryption method, and exchange keys securely. These systems can also be expensive, and if you don’t have both ends configured, then it will default to an insecure connection.
What can I do to improve security?
The only option you have available to you (that is free) is to ask the person wishing to send you a confidential form (e.g. a Referral Form) to password protect it before they send it. It is possible to password protect all MS Office documents as a save option, and it is also possible to password protect a zipped up file or folder and a PDF document.
If higher levels of security are important to your organisation you should give this some consideration. You may need to define a process for handling incoming information over email in an encrypted or password protected format. Once it is inside your organisation you unprotect it and file it normally.
Check your privacy statements
Check your privacy statements against what you are declaring and amend accordingly. The instructions I have provided in the past cover best practices for configuring and securing communications between your computer or device and the mail server, we cannot go beyond that level of security without also employing additional systems such as PGP. (Pretty Good Privacy).
However be aware that between mail servers (across the internet) the email may be in plain text, and if compromised, may be read by a third party if they are able to intercept traffic between mail servers on the internet. Unlikely, but it could happen.
Concerned? Drop me a line.