Internal e-mail is not a safe place
Typically, a company’s own e-mail solution is thought of as being a safe place to store all internal e-mail. But, many times “internal” email is actually handled and stored by an external email provider, like Google.
When e-mail is used to send sensitive information then storing it in an outsourced e-mail service or servers should raise an alarm for the person in charge of data security and data privacy protection.
- Does the service provider agreement also cover situations where sensitive information has ended into places where it does not belong?
- How fast do they respond to breaches?
- How many e-mail service admins have access to the e-mail data?
- How you signed a GDPR processor agreement?
In practice, the most reliable way to protect communication and file sharing is to use strong encryption already when sending a message by encrypting the data in the sending computer and delivering the encryption key to the recipient in some way, who then opens the encrypted message in their own computer when reading the e-mail. PGP, invented in the early 90s, is a good example of such an encryption technology that can work for all email and email providers, but sharing the encryption keys has been a manual task and too difficult, making it too impractical to use for normal users. This has often been the problem that has prevented the usage on a larger scale.
So, what to do then if you don’t have a large IT department with a lot of security expertise?
The solution is to use email, internally and externally, for less sensitive information only. Sensitive files and documents should be managed in a secure collaboration workspace that is really easy to use, like Konfident.io.