Getting serious about e-mail security

E-mail is one of the most widely used forms of communication today. Estimates from May 2009 suggest that around 250 billion–with a “B”–e-mails are sent every day. That equates to more than 2.8 million e-mail messages per second, and some of them are not even spam.

E-mail is faster and cheaper than traditional postal mail, but at least when you seal that envelope and stick a stamp on it, you can have some confidence that only the intended recipient will open it. With e-mail, however, your message could be intercepted midstream, and you might never realize it.Copies and remnants of your message stored on your PC could be compromised as well. You have to take steps to secure and protect your e-mail messages.

Prying Eyes

Your PC provides easy access to your e-mail communications–both for you and for others. Anyone who happens to walk by your system–whether you’re in the middle of using it or have stepped away from your desk–could potentially see e-mail messages you are in the process of writing or have already sent, or your incoming e-mail messages. You need to take steps to minimize the opportunity for passing bystanders to snoop on your e-mail.

For starters, don’t leave your e-mail client open–or at least not maximized on screen. Whether you use a client application such as Microsoft Outlook, or a Web-based e-mail system like Google Gmail, you should minimize or close the e-mail window when you are not actively using it.

You also need to make sure that snooping eyes can’t see what’s on your screen when you walk away from your PC for an extended period of time. Many people know to lock or shut down the PC when leaving for the day, and perhaps even when going to lunch, but they might step out to discuss something with a coworker without thinking about it.

As an automatic security measure to protect your e-mail, as well as the PC in general, you should enable a screensaver (go to Control Panel/Appearance and Personalization). Set a delay before the screensaver kicks in–it shouldn’t be any less than five minutes because it is not uncommon to go five minutes without touching the mouse or keyboard while reviewing a document or reading a Web page, and having the screensaver come on would be an annoyance. Fifteen minutes is a reasonable timeframe. Make sure you check the box to display the logon screen and require credentials when resuming.

This should go without saying, but make sure you have a secure password. Using your dog’s name, or that of your favorite baseball team, won’t provide much protection. In fact, you should never use any word that can be found in a dictionary; guessing or cracking them is trivial.

Protecting Web-Based E-Mail
Web-based e-mail has the advantage of being available virtually anywhere, any time, and from any device that can get on the Web. It also comes with some additional security and privacy concerns, though.

On any PC, but particularly on a shared or public PC–such as one in a hotel or library–make sure you log out of the Web-mail client. Forgetting to actually sign out could allow the next user who comes along to access your e-mail account.

Web browsers maintain a history of visited sites, and a cache of browser data that help them load frequently visited pages more quickly. The history and cache may also inadvertently expose your e-mail messages. When you are done using your Web mail, you can go into the settings for the browser and clear out the cache.

Better yet, use private browsing. The most popular Web browsers–such as Internet Explorer, Firefox, and Chrome–have an option to surf the Web using a private or anonymous mode. When you use the private browsing mode, your entire Web session is more secure, since no data is retained in the history or cache.

Whether on a shared computer or your own PC, another suggestion is to use an alternate browser. For example, if the default browser for the PC is Internet Explorer, use Firefox, Chrome, or some other browser just for your Web mail. That way, if someone else uses the system, they will likely use the default Web browser, so using a different browser will reduce the chances of exposing or compromising your e-mail account.

Encrypt Your E-Mail

No matter how you lock down your PC, or what precautions you take to ensure that nobody can access your e-mail messages locally, the messages still have to travel from point A (the e-mail server) to point B (your PC). As the digital message traverses the Internet, those e-mails could potentially be intercepted by unauthorized users.

You can prevent your messages from being compromised by using encryption. As long as your messages are encrypted, an unauthorized user that intercepts a message would not be able to actually read it. Without the proper decryption, the content of the message would just be digital gibberish.

For Web-based e-mail like Gmail or Yahoo Mail, you can use SSL (Secure Sockets Layer) encryption. Most users recognize SSL-encrypted Web pages by the little padlock icon displayed on the browser page, or by the fact that the URL begins with “https” rather than “http”. For example, if you connect with Gmail via SSL, the connection between Google’s servers and your PC–and the message traffic over that connection–is encrypted and protected from being intercepted en route.
Microsoft Outlook can also send encrypted e-mail messages, but instead of using SSL, it relies on a system of public and private keys. The message is encrypted using your private key, and only recipients that have the associated public key will be able to view the e-mail. The public key can be shared with any recipient, whether they use Outlook or not.

Guidance on the Microsoft Office site explains, “Sending and viewing encrypted e-mail messages requires both sender and recipient to share their digital ID [digital ID: Contains a private key that stays on the sender’s computer and a certificate (with a public key). The certificate is sent with digitally signed messages. Recipients save the certificate and use the public key to encrypt messages to the sender.], or public key certificate. This means you and the recipient each must send the other a digitally signed message, which enables you to add the other person’s certificate to your Contacts. Once both parties have shared certificates, sending and viewing encrypted e-mail messages between them is the same as with any other e-mail messages.”

After You Hit Send

The precautions described above will help ensure that prying eyes don’t view or access the e-mail on your PC, and protect your messages from being intercepted en route, but what about protecting the privacy of your e-mail even after you send it? Perhaps you have something of a sensitive nature to communicate, and you want to make sure that the recipient doesn’t forward or share the message.

Microsoft Outlook has information rights management (IRM) features that let you exercise some control over your messages even after you hit Send. When you are composing an e-mail in Outlook 2010, select Options on the menu bar, then click the arrow under Permission, and check the Do Not Forward option. Recipients who are not using an e-mail client that supports Microsoft’s IRM must download the Rights Management Add-on for Internet Explorer to view restricted messages.

Some businesses manage the IRM features from their own servers, but for individuals or businesses that don’t, Microsoft can manage IRM credentials and authentication for you. The first time that you use the IRM features, Microsoft will automatically prompt you to register to use the service (to see the IRM screen, click the thumbnail image below).

Selecting the Do Not Forward option for your e-mail message makes the message private between you and the intended recipient. It lets the recipient receive and view the e-mail, but it prevents the message from being forwarded, printed, or copied.

Another way to restrict the use of your e-mail message and protect your privacy is to set the message to expire. You can define an expiration date and time for the message, after which the recipient will no longer be able to open or view it. However, this functionality only works in business settings built around Exchange Server and Group Policy. Setting an expiration for an e-mail sent to an external Yahoo mail account will have no effect.

Be careful never to assume that anything you send digitally is one hundred percent private. There is a saying that you should never say anything in an e-mail–no matter how private you might think it is–that you wouldn’t want plastered on a public Website. But, if you follow the guidance outlined here, you can take proactive steps to safeguard your privacy and at least minimize the chances that unauthorized prying eyes will see your messages.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs