Monthly Archives: January 2012

When creating Email Policy – Include Guidelines for when Staff must use Encrypted Email

The importance of guidelines to ensure Efficient and Effective email Use

“Most companies are grappling with email overload,” says Monica Seely, an email management expert at Mesmo and author of Brilliant Email. “Companies are losing up to 20 days per person per year, dealing with email poorly.” Most of us would not disagree with these statements. But how many organizations have you encountered that have email guidelines in place – that are actually enforced?  The answer is likely none. Having no email charter (that is adhered to) is like having no HR policies for staff (that are adhered to).  Payroll expenses and the inefficient use of email are some of the most costly expenses in most professional services organizations.  Implementing guidelines around managing these resources are not nice-to-haves, but rather fundamental business rules - and applicable to any size organization.  Having these guidelines in writing is not good enough. In order for them to be effective, they must be enforced and become part of the operational culture and house rules and become as second nature as, well,… sending an email.  Sending a flaming email or an unwarranted ‘reply to all’ with the dreaded ”thanks!” should become as unacceptable and ‘yesterday’ as scotches for lunch and smoking at our desks. One can’t assume that staff ‘just know’ how to use email. Most individuals’ email training is simply non-existent and ends with opening their MS Outlook application and composing their first email.

Guidelines for when Secure Encrypted Email must be used

If you are on vacation and you want to send something generic to a friend such as “wish you were here”, you send a postcard. If the message or letter is more personal and you would prefer that only the intended recipent read it, you would send it in a sealed envelope.  The same principle applies in the business world.  Encrypted email is your sealed envelope (+). It can be more like a signature-required guaranteed delivered package, depending on the encryption service used. Rarely covered in an email policy is the inclusion of guidelines around sending sensitive or client-confidential information. The sending organization or the sender who is including sensitive business, client, or employee information in an email is unequivocably responsible for ensuring that the information is secure and only seen by intended recipients. If a sender does not use email encryption, all information sent over the internet can be intercepted – and leaves the organization open to high risks of data leaks and breach of privacy and other regulatory compliance. It’s like sending a postcard into cyberspace. Sample Encrypted Email Guidelines Here’s just a sample of general guidelines that can be included in your email charter to address the use of encryption to ensure that sensitive content is only seen by intented recipients. Encrypted email must be used:
  1. When sending or discussing confidential, strategic, non-public, or classified business information.
  2. For Board of Directors discussions.
  3. When sending or discussing any type of client confidential, priviledged, or private information. Clients could include students, patients, citizens, or customers.
  4. When emails include credit card numbers, social security numbers, passwords, logins or any recognizable format for sensitive information.  The use of data leak prevention tools here, is also key. Data leak prevention tools will recognize the format of email content, such as xxxx-xxxxx-xxxxx-xxxxx for credit cards, and prevent sending of the email or at least warn the sender to encrypt the email.
  5. When attaching any kind of sensitive document to an email. Encryption is much more secure than including a password to open the document, which can be hacked.
  6. By all legal and accounting staff working for the organization, or any staff who frequently deals with confidential information as part of their regular duties.  This may include IT, and Sales.
  7. When communicating outside the organization with firms dealing with sensitive information such as legal, accounting and IT firms. In many sectors, such as the healthcare industry or public sector, guidelines would include a long list of external or partner agencies.
  8. By HR staff when communicating sensitive employee information, AND when communicating with potential new hires and candidates – particularly when discussing or sending employment offers.
  9. As an aside, secure email guidelines should also include guidelines for the topic of email delegates. How to communicate which staff members have delegates, and alternative communication methods to reach staff with delegates when ultra-sensitve emails are exchanged.  Navigating the sensitivities of email delegates can be challenging if guidelines are not in place.
Once communicated, email rules or guidelines should be adhered to and enforced like any other organizational policy.  With minimal training and reminders, email can be a highly effective communication tool. There may be a lot of talk recently about  rogue companies abolishing email all together as a way of dealing with the ineffective use of email. But the reality is that email is not going anywhere for the unforeseeable future. It’s not the medium that’s the problem. It’s who uses it and how. Contact us here if you would like to receive a complete email policy or guidelines template. Ariane Laird works with Email2. Email2 provides straightforward secure email encryption and data leak prevention solutions for various sectors, and uses the same security technology as Internet banking. From your desktop to mobile, securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization. Brilliantly simple, anytime anywhere encryption – without requiring staff or recipients to change their existing email.

Is your bank using encrypted email to communicate with you – the customer?

It occurred to me in November that I have been using basic email to communicate with my (wonderful) banking representative for years. The topics sent back and forth on email could not be more sensitive in nature. The information included requests to transfer funds, bank account numbers, mortgage renewals, line of credit requests, social security numbers, passwords, credit card information – and gulp! -> income information and income tax statements by way of file attachments. Not once did the Senior banking representative alert me that we should not be transferring this type of information when corresponding by unsecured basic email.  Nor did he provide me with an alternative secure email solution. He tends to be very customer-service oriented and understands and respects that my preference by far is to use the asynchronous communication method of email.  This way I can email him at midnight when it’s convenient for me, and he can respond when it’s good for him. However, convenience and customer preference should never override the fundamental right to privacy or securing my ultra-sensitive information.  It’s also important to note that I bank with one of the 2 largest (and most profitable) banks in the country.  It is unequivocally the banking institution’s responsibility to 1) ensure that my confidential and private information is only seen by intended recipients and 2) accommodate my preference for email communication.  In that order, but preferably both. When this uneducated and naive customer (me) finally understood that my emails were not secure and could easily be intercepted once it leaves my computer and travels through various nodes in the world ‘wild’ web en route to its final destination, I brought the subject matter up with my rep.  My aha occurred after 313 emails were sent to my banking rep - yes, I counted them – which does not include emails received. After my inquiry, my banking rep advised in November of last year that he ‘did’ have access to an encrypted email solution, but did not seem to be that familiar with it.  He would get back to me.  I reminded him about this again the following January - after sending him 10 additional confidential emails during the 2 month lag. He finally sent me a link to a web page for accessing their secure banking email. It was a one-page badly laid out and confusing user interface. It looked like a school project from a comp sci first year student. And that student would have undoubtedly received a ‘C’ for that project.  But the worst part of this experience is that the password for accessing the secure email site was created and sent to me by my banking rep using basic email! I tried to respond to his encrypted email, but the ‘solution’ sent me a canned email requesting my ‘encryption certificate’ and to include my ‘digital ID’.  It read: “The easiest way to do this is to apply a digital signature to your reply using your e-mail software.”  Huh? The comp sci first year student who developed this tool clearly did not speak my language, which is English.   I emailed my banking rep to find out what this meant, and he replied that he may not have followed the process correctly. And that was the end of that. (true story) I came up with 3 conclusions as a result of this experience.

1.  Lack of Confidence that Humongous Bank cares about securing my Confidential Information

I have very little confidence that my humongous and well-established bank cares about securing my private and confidential banking, personal or financial information. It has not trained its staff to understand the importance of securing customer communication and passwords.  Does encrypted email only become a recommended option when a customer inquires about security?  I’ll also clarify that my banking rep has been with the bank for at least 20 years and is not a junior account rep.

2.  Banking & Financial Services 101: User-Friendly Email Encryption Solutions that work

Providing me with a secure and user-friendly email encryption solution without requiring a technology dictionary and a 10-page instruction manual to use it, is NOT a difficult task for an extremely profitable banking institution.  After all, they have figured out the technology and user-interface for Internet banking? The email encryption solution that I was provided has to be an embarrassment to any successful or progressive organization – but particularly one that provides financial services. And let’s not forget about policies regarding basic email.  If financial services organizations are permitting their staff to communicate with customers using an unsecured email system, at minimum, data leak prevention policies and tools must be in place to ensure that if/when confidential information is included in a basic email such as bank account numbers, passwords or credit card numbers, then the sender would be alerted – if not prevented from sending the email. It appears as though even humongous bank does not have to adhere to basic and fundamental principles in securing customer information and privacy.

3.  Banking & Financial Services Customers are Unaware that Basic Email is not Secure

My banking rep does not often use his email encryption solution and doesn’t seem to be familiar with it.  I am left to conclude that his hundreds of other banking customers are clearly not clamoring for their private information to remain secure, likely because most have no clue that email is not secure and that straightforward alternatives do exist. To all banking or financial services customers, or any customer of an organization where your confidential information is exchanged:  Using unsecured email or fax is like shouting something across a crowded room.  If you are willing to take the chance that your private, confidential or financial information is intercepted and seen by the occupiers of a crowded room, then by all means, carry on with the status quo.  How about a nice order of identity theft with that email?   Ariane Laird works with Email2.
  • Email2 provides straightforward secure email encryptiondata leak prevention, and e-statement solutions for the financial service industry using the same security technology as Internet banking.
  • Email2 enables financial services organizations to securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.