How often have you heard someone say “If you’re not doing anything illegal, then you have nothing to hide?” When asked this, I tend to respond with, “OK, then how about you give me the login credentials for all of your email accounts, including the ones you use for personal use?” I think of this as analogous to allowing a stranger to walk around in your house. Hey, it’s OK as long as you’ve got nothing to hide, right? The point is that, no matter what is contained in our electronic data, most of us want peace of mind in knowing that it isn’t being accessed by unauthorized individuals.
This concern for privacy doesn’t just apply to individuals. It applies to businesses as well. Businesses rely on electronic communication to send sensitive information such as invoices, employee records, financial reports, and other confidential data. In fact, businesses currently send more than 100 billion emails each day, and that number is projected to skyrocket to almost 140 billion emails a day in another year. If this information gets into the wrong hands, it can lead to devastating losses for the company, as well as damage to its reputation. For example, in 2013 and 2014, Target suffered breaches of approximately 110 million customer records in two separate attacks. Earlier last year, a security expert discovered that 272.3 million accounts had been stolen from Google, Yahoo, Microsoft, and Mail.ru (Russia’s most popular email service). In 2013, Yahoo suffered a breach that is believed to have impacted over 1 billion users. In September of 2016, at least 500 million Yahoo user accounts were compromised in a massive data breach that may have included names, email addresses, phone numbers, birthdates, and hashed passwords. In 2012, 165 million LinkedIn accounts were compromised. Though different attack vectors may have been used in each of these cases, the targeted information could have been safeguarded if it had been encrypted. Moreover, all it takes is for one host to be infected with malware to allow the interception and eavesdropping of confidential email content.
Breaches perpetrated by hackers aren’t the only threat to a company’s data. User error also poses a significant threat. According to the whitepaper “Content Encryption – Key Issues to Consider” from Osterman Research, these examples of users mistakenly sending unencrypted content were cited:
- An employee at Nationstar Mortgage mistakenly emailed copies of customers’ W-2 forms to an employee at Greenlight Mortgage, revealing Social Security numbers, names, addresses and other sensitive information.
- 845 patients of Tulare County Health received information on how to access protected health information (PHI) via the administration’s medical portal due to an employee mistake.
- Graduate students at the South Dakota School of Mines and Technology were inadvertently sent an email attachment that included the student identification numbers, grade point averages and other information of about 350 fellow students.
The costs of not sufficiently protecting your data are high. The findings from a study conducted by the Ponemon Institute show that the average cost of a security breach in the United States was $201 per compromised data record - $32 for detecting the breach and notifying the affected individuals, $55 for damage control costs including legal fees, investigations, fines and remediation, and $114 in loss of business due to customer abandonment. Regulated industries such as healthcare and financial services have the most costly data breaches due to fines and the higher than average rate of lost business and customers. In addition to financial losses, companies may also suffer damage to their reputation.
How could these incidents have been prevented? If these businesses had encrypted their data, they could have prevented unauthorized access to confidential information in the event of a breach. Encryption helps protect corporate and financial data of companies, as well as the personal data of their employees and customers. When data is encrypted, even if a user’s account has been hacked, the data would still be unreadable. Encryption also helps companies meet strict regulations such as FERPA, GLBA, and PCI compliance. Encryption solutions also offer the benefit of proof of identity when email messages are digitally signed, ensuring that the message is authentic and verified as having been sent from the purported sender.
A common misconception about email encryption is that it is only needed for larger businesses; however, small and medium size businesses are targeted just as frequently as large ones, and often can be affected much more severely in the event of an email hack. While a larger company may be able to financially survive a breach (but still at significant loss), a severe data breach could put a small company out of business. This is just one of many reasons why encryption is so important.
One of the most common challenges for email encryption is that it has had a reputation of being difficult to use, often requiring cumbersome key exchanges and extensive configuration. MDaemon’s client-side encryption feature (via Virtru) and server-side encryption (via OpenPGP) were designed for convenience and ease of use.
Virtru’s client-side encryption service is built into WorldClient, MDaemon’s webmail client. Setup is as easy as checking a box and verifying your identity. Once enabled, you can simply follow the steps outlined on this page to encrypt your messages. For server-side encryption, MDaemon’s OpenPGP settings make it easy to automate encryption of messages as they pass through the server. Administrators can follow steps outlined in this knowledge base article to enable OpenPGP, configure who can use it, and create keys for their users. This post includes a tutorial video on how to use the OpenPGP features in MDaemon, including how to encrypt an email message using special commands in the subject line, as well as how to automate the encryption process using the content filter.
No business is too small to protect its sensitive data from theft. If you’d like to ensure your company’s emails and attachments are safe, you should always encrypt. A few extra steps now can safe a great deal of headache later.