Never, Ever, Send Confidential Stuff via Email

Do you send private, confidential or secure information inside an email? Don’t. Never. Ever.

You might already know that emailing from a public Wifi hotspot is a huge problem since it is so incredibly insecure (see my post You’re in Danger on Public Wifi! for more). Since all of your information passes in the clear, it’s trivial for someone to snag it and read it or download the attachments.

The kicker? Email heading across the internet, sitting on a mailserver, or being retrieved by someone else in a non-secured way means that your private, confidential, secure information is also exposed.

Two reasons you should care about your email getting hacked.

REASON #1: Your Personal, Digital Life is Destroyed

We will get to the “How To” part of this post below, but just know for now that your email account getting hacked is your #1 problem.

Just ask Wired magazine contributor, Mat Honan, who was hacked hard in 2012 and had is Macbook, iPhone and iPad erased (how he recovered his most important data, for $1,690, is here. It should also be noted that Apple, Amazon and others have implemented a 2-step authentication fix to Mat’s original issue…more on that below).

Even after that highly publicized fiasco, almost everyone I know still uses one, usually super-simple password for their email. They also use no other security measure to make certain their email can’t get hacked. It makes me sad so I’m going to try one more time to scare the crap out of you so you take action.

What could happen if a black-hat-hacker stole or brute force attacked your email account password:

• Do nothing but watch & read your email and steal the occasional, high-value stuff (perhaps from your customer’s emails sent to you too).

• Go to all of your accounts and do a “Forgot your password?” and reset your passwords at your bank, brokerage, Facebook, Twitter, and other accounts. If they get in to your Apple iCloud account they can reset all your machines just like Mat Honan experienced since the reset link always goes to your email. You would instantly lose access to ALL of those accounts and you would have to scramble to stop the tsunami of problems, that is if your own devices weren’t already erased.

• If any documents you sent in the past are archived in your email account—and contain your Social Security number or other personal, private data—your entire identity could be stolen.

But the risks are even higher if you own a business and have access to sensitive client or customer data.

REASON #2: Mitigating Business Risk

If you own a business, or have any assets you could lose, you’d better have some concern about making sure you don’t get sued if you lose or breach your own client or customer data.

I’ll bet you, like I do, have clients or customers who routinely email sensitive information to you. Even though we have other, encrypted methods, I have client credentials emailed to us for their Google Apps, webhosting, Mailchimp, and other account data (for our Innov8Press business). Often I find myself educating them as to why they should NEVER, EVER send me secure information over email.

Our old legal firm, and our current bookkeeping firm, have nothing in place to send and receive client’s data securely.

If you haven’t set something up for secure communications and have a breach, you might get sued. If someone gains access to your client’s data or credentials and hacks their accounts, you can probably count on a lawsuit. Hope you have good liability insurance or deep pockets ’cause you’re gonna need ’em.

What to do? First, secure yourself and then secure your business:

+ Buy a password manager: There is absolutely no reason for you to use the same damn password (or some easily guessable variant) on every site. Whining that “I can’t remember all these passwords though!” is exactly why you need one. In my secure vault I have literally hundreds of passwords and they are all different! Added to that are secure notes with information in them that has to remain confidential.

Though I use LastPass personally, here is a good post at LifeHacker on the The Five Best Password Managers if you’d like to know more or have a few choices.

+ Use 2 Step verification whenever available! If you have a mobile phone, you can use 2 step verification. If you have email with one of the big providers (e.g., Gmail, Yahoo Mail, etc.), shop at Amazon or Apple, or use one of the dozens of major web services that have implemented 2 step verification, even if someone does steal your email password they’d also have to have your mobile phone too in order to access your email account.

+ Get a Virtual Private Network (VPN). I won’t rehash what I said in my post You’re in Danger on Public Wifi! but, suffice to say, if you do not use a VPN and you do use public Wifi anywhere (e.g., coffee shop, airport, at a conference) you are playing Russian Roulette with your email security. If the bullet is not yet in the chamber, given enough spins it will be eventually and you will be hacked.

Here are options that will give you some idea about how to secure and share sensitive, confidential or personal data:

+ Sign up for a free 10GB Box.com account and have each one of your client’s get a free account too. Make a folder for each client and share the respective folder with each one of them. Once done, files (each file can be up to 250MBs until your account limit is reached) can be shared and anything uploaded from your (or your client’s) desktop is 256-bit encrypted on the way. Same thing with the Box mobile apps too.

We and our clients often share a document within which they place their secure credentials and other files. Works great and, once set up, is extremely easy for both the clients and my team.

NOTE: While Box is arguably more secure than the highly popular Dropbox, the latter’s files shared with clients in non-public folders are still relatively secure. Dropbox for Business is now available, but it is $15 per user, per month (5 user minimum or $75/month) and Box offers Business-class for $15 per user, per month but only has a 3 user minimum (or $45/month).

+ Sign up for a free SendInc account and have your clients do so too. Send and receive files with attachments up to 10MBs per email. Wait…how is that secure? It’s because if I send you a SendInc email, you receive a notification in it. You then have to login to your SendInc account and read the email and, if one is attached, download the file.

+ Use a password manager for your business. Once you do receive these secure credentials, consider placing them within your password manager as a secure note (and deleting them from the shared folder…or saving that as a backup). We’ve standardized on LastPass for our business and this password manager is especially useful since individual leaders can share specific passwords with specific team members and one person (except for me and my business partner) has access to the entire vault.

Hope this helps. Be careful out there on that internet-thingy.