19th Ave New York, NY 95822, USA

Your “Secure” Email System Probably Isn’t Secure

mail

As I’ve written about before, one of the biggest risks to your clients’ private information is sending it via email. The good news is that most of the accountants and tax preparers I speak with already know this. The IRS, state taxing authorities, and professional associations have done a great job of driving home the fact that identity theft is a real problem, and that sensitive information should not be transmitted by email. The bad news is that some well-meaning people have been given bad advice and sold “secure” email systems that purport to make it safe to email sensitive information to clients.

Anatomy of a (not so) secure email system

Often, the way these services work is that you compose your email on a secure website, and then when your client replies to your email, the system detects that it should be treated securely (either because of a special subject line, or some other identifier in the email). These emails that should be treated securely are then diverted away from your usual email service and sent instead back to the secure website where they can be safely encrypted.

The problem with these “secure” email systems that they only address half the problem. Yes, the email that’s stored on your secure server is encrypted and unable to be accessed even by malicious actors. But what about your client’s systems? They aren’t protected by the secure website that these “secure” email systems provide. The email that your clients receive and send is still sitting unencrypted in their their computers and email servers. If your clients’ email systems are compromised, then your clients’ information could be exposed.

Attributes of a truly secure system

So how can you know whether a secure communication system is really secure? Here are a few things you can look for.

Encrypted at rest

Look for statements made by the vendor that the system uses strong encryption. In particular, you might look for the phrase “encrypted at rest”, which means that they encrypt the information stored on their servers. You might also look for phrases like “AES”, “ChaCha”, “Salsa”, or variants of these phrases, which are all well respected encryption algorithms.

Encrypted in transit

It’s not enough that stored information be encrypted, to be secure you also need information to be encrypted as it is transmitted over the Internet (which email doesn’t necessarily do). The main phrase to look for here is “encrypted in transit.” You might also look for phrases like “SSL” or “TLS” which are different ways of encrypting internet connections.

Access control

In order for the transmission of messages to be secure, both the sending side and the receiving side of the transmission must be secured. In practice, this means that both you and your client should have to log into a secure system in order to send or receive a message. This is where many of the so-called “secure” email solutions fall down, and where solutions like client portals shine.

More information

In case you’d like more information about the problem of securing email, I wanted to share a great article that got me thinking about this problem. It’s titled “Here’s why your email is insecure and likely to stay that way.” In the article, the author talks about the problem of securing all sides of an email conversation, and the role that encryption plays in securing communication. It’s not super technical, and it does a nice job of explaining the relevant issues.

Article Link: Here’s why your email is insecure and likely to stay that way

RelaNet client portals

If you would like information about how RelaNet can help you solve this problem, please get in touch. I would be happy to talk to you more about the issues involved and the role that RelaNet Cloud, our client portal solution, can play in helping you secure your own client communications.