Email is not secure but many treat it like it is (Part 1)
Everyone uses email to communicate. Whether for work and/or pleasure, email is everywhere. However, while email was not originally designed with a focus on security, law firms and clients send confidential transaction documents back and forth on a daily basis.
Email is not secure because there are many steps between you sending your email and your recipient receiving your email. If any one of these steps is compromised, your email and its content will be compromised. In the first part of our two part series on email security, we’re going to focus on the vulnerabilities that arise due to the network in place that transports your email. In our second post, we’ll focus on the vulnerabilities that arise due to human behaviour when using email.
Emails must travel over vast networks to arrive at their destination and as your email travels through these networks, vulnerabilities arise at different places. For example, you may send an email using a secure email provider but your recipient’s email provider may not be secure. Any vulnerability in the network between you and your recipient can lead to a data breach.
The best way to improve data security is to encrypt that data, or transform the data in a way that leaves the content unreadable and therefore secure from an attacker that may somehow intercept the email. Click here to learn more about encryption. Data can be encrypted both while being stored on a server (protecting your email’s contents should the server be hacked) or while in transit (such that if the message is intercepted while traveling through the network, it cannot be read by the attacker).
Cloud-hosted webmail services
Using cloud-hosted webmail services such as Gmail improves security because Gmail encrypts your emails both in transit and at rest. Therefore, your email is encrypted as it leaves your computer and enters Google’s data centers and also while it passes through Google’s data centers (encryption in transit). Your email is also encrypted while stored in Google’s data centers (encryption at rest). However, keep in mind that Google has a key to this encryption and mines all emails in order to sell targeted advertisement opportunities to third parties, something your clients may not consent to.
Using Gmail (or Outlook) is a good start to ensuring security, but if your recipient has a different email provider, your email must leave Google’s servers to reach its destination and Google cannot encrypt that part of the network (although Gmail can inform you if that part of the network is encrypted or not). Therefore, if your recipient’s email provider has any vulnerabilities, your email is once again at risk of compromise.
As a result of all of these opportunities for vulnerability, every time you email a confidential transaction document to another lawyer or client, you put that document at significant risk of being compromised. Not to mention that the documents arrive unencrypted at your recipient’s computer and so their behaviour will impact security (more on this in part two of our series on email security).
One of the big four accounting firms, Deloitte, was hacked in the fall of 2017. One of Deloitte’s servers was breached and it contained emails from about 350 clients, including four US government departments, the United Nations and some of the largest companies in the world. It is likely that the data was stored in unencrypted form on Deloitte’s servers and was therefore vulnerable to just such a hack. Once the attacker accessed Deloitte’s server, the attacker could view everything, including email, in plain text form. It’s for this reason that encryption at rest exists: should a server or data center be breached, the attacker is left with meaningless and useless data. Deloitte stated that they knew exactly what information the attacker targeted and the number of clients impacted by the breach but other sources have argued that Deloitte was downplaying the impact of the breach. Regardless, Deloitte’s reputation was impacted. If a large, global accounting firm can be successfully hacked, a law firm of any size can be as well.
Benefits of document sharing platforms
Document sharing platforms such as dealcloser eliminate these vulnerabilities. Services like dealcloser should encrypt your data both in transit and at rest, such that if any data is ever obtained, the attacker is left with meaningless and useless data. These services should allow you and your clients to log onto an encrypted platform that allows for the viewing of documents only with the proper credentials, eliminating the need to email documents back and forth. The physical data centers used to store data should also be protected by biometric locks and round-the-clock surveillance monitoring, making physical access to the data center impossible. Finally, the infrastructure behind the document sharing platform should be certified with certain compliance certifications such as ISO 27001 (Security Management Controls), ISO 27018 (Personal Data Protection), SOC 1 (Audit Controls), SOC 2 (Security, Availability and Confidentiality) and SOC 3 (General Controls) certifications. Data centers should also be compliant with privacy legislation from various jurisdictions including the US, the EU and Canada.
Using a document sharing platform such as dealcloser is significantly more secure than emailing your transaction documents back and forth. It’s also faster and easier to share documents with dealcloser than with email. There’s no reason to wait, start using dealcloser today to securely and easily exchange documents with your clients today!
Visit our security page to learn more about the industry leading security measures that we implement to keep your data confidential and secure.