Data Security – Need to share data? (P.S. Don’t use email!)

Data Security & Email

Data security is a concept that is familiar to almost everyone now – and there’s even a Data Protection Day!  However, despite the widespread awareness of data security, many employees continue to send data via email.

In this article we will look at why email is not a safe way to send data and examine secure ways to improve your data security when sending data.

Specifically we will look at the following topics:

  1. Four Reasons Why Email is Not A Secure Way to Send Data
  2. Email Disclaimers Cannot Enforce Confidentiality
  3. Two Dangerous Consequences of Breached Email Security
  4. Security Breach of Emails Containing PII
  5. Four Ways to Securely Send Data Internally
  6. Three Ways to Securely Share Data Externally
  7. Security Differences between Zoho CRM and Email
  8. How does Zoho enforce GDPR?
  9. How to Minimise the Risk of an Email Data Breach

For example, if a colleague asks you for a report, you may open up Excel, gather the required data, create a new Workbook and email it to your colleague.  If this is common practice in your workplace you are actually posing a huge security risk and depending on the type of report, potentially in breach of GDPR.  So why is that?

Four Reasons Why Email is Not Secure from a Data Security point of view

First of all email is a very unsafe way to share information.  Let’s look at some of the ways your email could be compromised right now.

1. The “man in the middle” email Attack.  When sending an email it does not go straight from your computer to the other receivers computer.  It will always pass through multiple networks to get from A to B.  These are all public networks, which means accessible to anyone and your email is not encrypted.  If someone listens to the traffic on those networks and intercepts your email, they can open it up and read it in plain text without you every finding out about it.  This is what is known as a “man in the middle” attack.  This may seem very difficult to do, but it actually is very easy.  If you send an email in a Costa Coffee using their public Wi-Fi for example, anyone else with a laptop can install a simple program to read every email you send.

2. Compromised email client. This may seem farfetched, but let me show you something.

 

  • This snippet may seem like gibberish, but this is actually the first article that comes up when you Google “read outlook email using c#”.  These 4 lines of code can read the emails in your unsent mailbox without needing a password.  This could easily be modified to send those emails to a private email of the person trying to read your emails.  This piece of code can be compiled in 5 minutes, would only be 1 or 2 kb in size and if deployed right will not be picked up by your virus scanner.  Even worse, this code can be run from any Excel spreadsheet or Word document using “Macros”.

3. Your phone is not safe for email.  Most people will have their emails on their phone nowadays.  Did you know that apps like TikTok have been found to copy your clipboard data and send it to their servers in China without your permission?  This happens even when you are using a different app (like your email client) and not having TikTok opened on your phone.  This has been demonstrated in the latest version of IOS.  You may think, well then I just won’t use TikTok and I’m safe, but that is far from the truth.  This goes for Facebook, Instagram, Ali Express etc. and those are just the big apps we know about.  Any app you install could potentially be sharing your data – check the terms & conditions as there is nothing free in this world!

4. User Email Send error.  You quickly want to send an email to Joe Blogs, so as you always do you type Joe and Outlook auto-fills the email address for you and send the email.  Only to notice afterwards that you accidentally sent the email to a different Joe at a client you were recently in contact with.  This happens more often than you think and is a very good reason to not carelessly send email containing files or personally identifiable information (PII) to anyone through email.

Email Disclaimers do not Enforce Data Security or Confidentiality

A very common practice is to add a disclaimer to the bottom of your emails stating something like “The content of this email is confidential and intended for the recipient specified in message only.  It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender.  If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.”  Which will protect you from people sharing the received information right?  Unfortunately it is not that simple for three reasons.

  1. The recipient can argue they did not know they were not the intended recipient.  Since you typed in their email address it can be reasonable to assume you intended the email to go to them.
  2. Confidentiality is generally based on an agreement like a non-disclosure agreement (NDA).  An agreement requires two parties to agree and sign, in this example the recipient did not agree to your disclaimer so it will be hard to enforce.  It would be like me telling a person something only to say afterwards they can’t share it with anyone.  That is an agreement that has to be made beforehand for it to be binding.
  3. It will be very difficult to prove that the person who received the email was the one to also share the information.

That means that as long as the person receiving the information does not breach GDPR there is very little the disclaimer does to enforce the confidentiality.

Two Dangerous Consequences of Breached Email Security

In the case that a report or email ends up in the wrong hands there are two general types of issues that arise.  Firstly the information can be confidential like profit reports or forecasts that the company would not like to make public or share with their clients.  Secondly the information can contain PII, which would automatically make it a breach of GDPR.  In the case of the former I think everyone understands why that would be bad, can damage your business and relationship with clients and should be avoided, so I would like to focus on the GDPR aspect.

Security Breach of Emails Containing PII

When you accidentally send an email that contains any sort of PII you are required by law to report this to the Data Protection Commissioner.  The breach will be investigated and depending on how big the impact is, how many times this has happened in the past and how much of the blame can be placed on the company you will be fined.  The maximum fines for a data breach are up to €20 million, or 4% annual global turnover – whichever is higher.  That is obviously an exceptional case, but there are other reprimands that will affect your business as well.

They include:

  1. Imposing a temporary or permanent ban on data processing;
  2. Ordering the rectification, restriction or erasure of data, and;
  3. Suspending data transfers to other countries.

All very frustrating and preventable.

The focus on information security and privacy increases year over year and even if you are not worried about being reprimanded there is a certain professionalism and trust that comes with handling your clients information correctly.

Four Ways to Securely Send Data Internally

In order to protect your data we can make a distinction between wanting to share information internally and externally.  Have you ever considered that email is a tool to communicate to the outside world, yet you are using it to communicate with someone sitting two doors down the hall?  Every time you do, you are sending your valuable, confidential information on a trip around the world just to come back into your network.

So how do we share information internally?

  1. Use a CRM system.  The information in your CRM is controlled by a login and data sharing rules.  If the information in your CRM is up to date, there is no need to send emails back and forth to share data since anyone who needs it would be able to look it up themselves.  This also goes for reports and dashboards.
  2. Set up a Cloud storage.  Files that are in your Cloud storage like Dropbox or Zoho WorkDrive are controlled in the same manner as your CRM.  You give specific people access to specific folders and they can access any files they need themselves.  No need for emails.
  3. Use a messenger service.  To send each other messages, consider using a messaging services like Microsoft Teams or Zoho Cliq.
  4. Encrypt your hard drives.  For any files that are still on your local machine, or for local copies of your Cloud storage it is recommended to encrypt your hard drive.  If your laptop ends up in the wrong hands, they still won’t be able to access any of the confidential or personally identifiable information.

Three Ways to Securely Share Data Externally

Now that we’ve eliminated sharing information through email internally, how do we send information third parties without worrying about it ending up in the wrong hands?

  1. Portals.  Information stored in a CRM like Zoho CRM can be exposed using secure portals where you control who has access to what in a similar way to the internal users.  You can decide to expose things like estimates, invoices, payment status, product information, statement of accounts etc. without having to send a single email and no risk of a data breach.
  2. External sharing links.  Sometimes you need to get a file or a report to someone even with portals being in place.  Most Cloud storage tools like Zoho WorkDrive or reporting tools like Analytics have external sharing options.  This generates a (temporary) link with options like password protection, expiry dates, read only, limited downloads etc.  These will use the encrypted HTTPS to share files and keep access statistics so you will always know who views your data.
  3. Collaboration folders.  Tools like Zoho WorkDrive have the option to set up shared folders where third parties can send you information and view information you put in there.  This is especially useful when working with clients and other third parties on projects and you want to be able to collaborate using the tools everyone knows like Excel and Word.  Again, this will be transferred using HTTPS and there is no risk of a data breach.

Some readers may think to themselves “you just told us we should not be sending information over the internet, yet 5 out of these 6 points require us to upload files or information in one way or another.  Is that not the same thing?”.  That is a great observation!  So let me explain the difference…

Data Security Differences between Zoho CRM and Email

Contrary to what some people may think, your emails have no encryption whatsoever.  They are sent across the internet in plain text and as I explained before, anyone with the right tools can read them.

When you’re accessing any of the Zoho products through your browser the link will start with “https” and have a little lock in front of it.  When the internet started a lot of the language around it was very “hip” so instead of a link it’s officially called a “hyperlink” and the text on a website is called “Hypertext”.  In order to get information from the server to your browser the “Hypertext Transfer Protocol” is used or HTTP for short.

This protocol suffers from the same weaknesses email does, so they came up with an extension called “Hypertext Transfer Protocol Secure” or HTTPS.  Without going into the details too much, this means that the traffic going back and forth to the website is encrypted.  If you would attempt a “man in the middle” scenario you could retrieve the data, but it would be gibberish without any way to extract the information.  If your website is still HTTP rather than HTTPS be sure to get that fixed to avoid visitors getting warnings when they access your site.

How does Zoho enforce GDPR & data security?

The full Zoho suite of products is GDPR compliant, ensuring that your data and PII is safely stored and handled, even when transferred in between products.

Every product has their own set of GDPR compliance tools, but here are some of the overarching highlights:

  1. All your data will be held exclusively in European data centres, which is one of the most important aspects of GDPR.  This means that even when your data is being transferred to different servers across the cloud, it will never leave the EU.
  2. Zoho uses something called Encryption At Rest, which means that while your data is being transferred for example when you open a page it will be transported using AES-256 encryption and when data is not being accessed (at rest) it will be encrypted as well.  That means that in the catastrophic event your data would get intercepted or if Zoho would have a data breach the acquired data will still be secure.  AES 256 is currently considered unbreakable, because there is not enough computing power in the world to crack the encryption in any reasonable timeframe, it would take hundreds of years.
  3. All your personal identifiable information (PII) can be marked for added security.  By doing that these fields cannot be exported or used by connected applications.  That means that even accidentally these fields cannot be accessed.

To read the full Zoho GDPR policy you can visit https://www.zoho.com/gdpr.html

How to Minimise the Risk of an Email Data Breach

There are a few simple steps you can and should take to minimise your risk of a data breach and all the negative consequences that they bring.

  1. Stop using Excel for everything.  Start running your business in Cloud systems specifically designed to run a business, not in spreadsheets.
  2. Cloud storage, no local drives.  All of your files should be stored and shared through Cloud storage and kept away from local drives.

How are you managing your data security in 2020?  Need help securing your data?

We have experienced consultants who can help you analyse your current business processes, identify any weaknesses and help you move your business into a secure, efficient and GDPR compliant system.  Please contact us on info@cloudtech.ie or +353 (86) 604 4820.