In April, a thousand students at Penryn College in Cornwall received a copy of an email containing confidential information about their peers, with the incident receiving coverage in the local media and being reported to the Data Protection Agency. Breaches such as this are more frequent than you might imagine, and many people will have either sent an email in error or received one that was sent in error. Why is this happening? The short answer is email is insecure. It is a tool that has no built-in security.
Email’s success was never anticipated to be what we see today when it was first invented. The world has become addicted to email, but email is not the only area of the internet that needs security. We carry out transactions on the web (we all buy books and flights), our own computers are secured and our data is located all over the place. The real difference is that these other areas have all, to varying extents, been secured for us. We have firewalls on our computers, we have anti-virus, anti-spam and we have the little green padlock (SSL) on our browser to show we are secure.
But email is the IT industry’s dirty little secret. The improvements we have all experienced in other areas of our IT life have led to many incorrectly thinking that email is also secured. The press, Edward Snowden and the NSA have shown that this is not the case. Think about it. When you go to many major websites to buy a book, you have to log in. When you do so, the little green padlock shows that your connection to the website is encrypted. It means that nobody (like the NSA) can see your username and password as it whizzes across the wires of the internet.
What if you forget your password? You click ‘Forgot password’ on that website, enter your email address and guess what? It simply emails a copy of your password or a new password or a reset link to your email in clear. Think about it. These sites would never let you log in without encrypted links (padlock). They would never want your user ID and password to travel across the internet unprotected. It would be madness to do so in this day and age. But forget your password and they will happily send it across the same links in clear. It is one of many ludicrous examples where email is used insecurely. It’s like trying to convince someone that drinking beer out of a straight glass is healthy, but drinking the same beer out of a glass jug is unhealthy! Either it is secure to send information across the internet in clear or it isn’t. There are no ifs and buts.
So why has this been allowed to persist? This is a complicated mixture of issues. The first is culture. Most people did not realise email was insecure until recently and the IT industry did nothing to educate people. Why? Because there were, until recently, no viable mass-market solutions. The second issue is one of risk management. Most are poor at it. We regularly hear the argument that they have never had a data breach or an email issue so they do not need to do anything. That is like saying I have never had a car crash so I will not need to wear a seat belt.
The education sector is starting to get to grips with this problem, with some schools looking at email encryption. There are real benefits to secure communications over and above data protection. Once channels are secure, then more can be done over them, including transactions and forms. Securing email is just the start, opening up truly convenient channels is the big win.