“My office email should be super safe! We have tons of security measures in place.” Ever found yourself thinking along these lines? You’re not the only one, and scammers know it.
A couple of weeks ago, you might have run across our blog, Keeping Personal Information Safe At The Office, and we promised a part two. Here it is! Today, we’ll explore the do’s and don’ts of sharing personal information via email.
Tech guru and CEO of Stickley on Security Jim Stickley shares more.
Email has become the most common way for people to communicate and share information, especially when it comes to business. Employees have found that email can be especially helpful when dealing with customer support issues, internal company questions, and transferring documents and other types of useful information. In fact, in 2016 it’s estimated that over 201 billion emails will be sent each day worldwide. The problem is that included in many of those messages will be personally identifiable information (PII) that could be used by criminals to commit identity theft and/or other crimes.
Most states in the United States now have laws that require organizations to protect PII. In most cases, these laws prohibit the inclusion of confidential information or PII in email messages. Often there is some confusion as to why there is so much concern around confidential information sent via email. There is a perception that if the email is sent from one individual to another individual, then the information has been kept private since only those two people had access.
Some organizations provide internal security to ensure emails are secured and/or encrypted when sent to other internal employees. Check with your organization to confirm if you are allowed to send emails containing sensitive information between internal employees.
The reality is that email should never be considered private, even when it is being transferred internally to fellow co-workers. In fact, there have been numerous cases throughout the United States were email was accessed by malicious third parties. For example, a person falls victim to a phishing attack and inadvertently provides her login and password for her email account to a phishing site. In other cases, criminals hack into the network of an organization and gain access to the mail server, which in turn allows them access to the email of every employee. There are also situations where criminals can monitor the traffic passed over a network and plain text emails can be captured in that process.
The simple fact is that email is not secure and there is never a situation in which an email should be sent containing PII, either in the body of the email or as an attachment.
When sending an email, the sender should always take a moment to review the contents of the messages to confirm no PII items are included in the email. In addition, if the email contains an attachment, the data in that attachment must also be carefully reviewed. Excel spreadsheets, Word documents, and PDF documents are the most common types of attachments to be sent that inadvertently contain information considered to be PII.
While the goal is to ensure that no employee ever sends an email that contains PII, in the event that a mistake is made and it is discovered that PII has been sent, a manager should be notified immediately. The sooner management is made aware of the mistake, the more opportunity there is to prevent that data from falling into the wrong hands.
In addition, if you receive an email from a customer or third party vendor that contains PII, you must also notify management immediately.
If you have confidential information or PII that you need to send to a co-worker, vendor, or customer, check with your manager for available options. Many organizations use third party solutions to securely share information.
Email is an extremely versatile way to communicate with the rest of the world, but it can also be a conduit to numerous types of risk. Before you click “send,” always double-check everything in the message to insure no confidential information or PII has been included.
Other considerations:
Beyond email, there may be other cases where you need to send data via a website. First, it is important to always confirm that you are approved to transfer any PII to any third party site. In the event that you are transferring this type of data via a website, make sure the site is using encryption for the file transfer. To confirm, look for "https://" in the URL of the website. If you only see "http://", it indicates that the page is not using encryption and you should not send the file.
Also, be sure to confirm that you are connected to the correct web address. Criminals often purchase domain names that are just one character off of legitimate ones in hopes that you may mistype the URL and end up at their websites instead.
FTP is another common way in which people transfer files, but unfortunately FTP is not secure. If you are working with a co-worker or third party vendor who requests that you send a file containing PII, confirm that the file transfer is via an SSH tunnel and not via FTP. When in doubt, contact your manager.
Remember, even if you are transferring files on your internal network, PII should never be transferred without encryption.
How DuGood Can Help
These days, corporate data breaches and leaks seem pretty common. How can you protect yourself? We might be able to help with that!
- Check out our Security Center. It’s filled with helpful tips and articles just like this one!
- Shop our Identity Theft Protection plans. For just a few bucks a month, we’ll cover all your financial accounts – not just those at DuGood.