Keep it Classified: E-mail Encryption for Small Business

It isn’t just the big boys that are under the gun on the subject of e-mail privacy; today the bull’s-eye is on mid-sized companies. A vice president in Southern Commercial Bank, for example, accidentally included the private information of 40,000 customers in an unencrypted e-mail. The Federal Trade Commission investigated BJ’s Wholesale Club for not encrypting data sent over the Internet. Petco experienced a similar violation, and Superior Mortgage suffered a probe for not encrypting Internet e-mails.

The companies listed above represent a shift in the emphasis of investigatory bodies and legislative attacks on the subject of privacy. While the Fortune 500 list contained most of the early targets, it’s the mid-market that now appears to be receiving most attention. Like large corporations, these mid-market players are rolling out security solutions to safeguard them from attack. Thus it’s only a matter of time before small businesses will be feeling the heat in this matter. And the price for getting it wrong could be staggering.

“To date over 54 million identities have been stolen and an estimated 19,000 more identities are stolen each day,” said Fred Moore, president of Horison Information Strategies. “Companies on average are spending over 1,500 hours per incident at a cost of $40,000 to $90,000 per victim.”

With regulators getting tough on privacy slip-ups, it makes sense for small businesses to protect sensitive data. As well as personal data, this includes financial information and other sensitive material. Further, some large companies will only do business with SMBs that comply with business partner agreements for protecting sensitive information.

“The bulk of transactions processing, negotiation and communication from small business to a larger partner is performed via e-mail,” said Ingrum Putz, director of Voltage Security Inc. “Being ready with an e-mail encryption system will facilitate partnership setups.”

Encryption Basics
The word “encryption” comes from “kruptos”, the Greek word for “hidden.” The idea is to convert words into a code that cannot be understood until it is decrypted.

Encryption can be done at various points. Many laptops these days have a feature that allows the hard drive to be encrypted. Even if it is stolen, an outsider won’t be able to read see what’s inside. Storage gear also sometimes has encryption features added and even tape backup gear is now coming onto the market with this feature.

For small business, though, e-mail encryption probably makes the most sense. If the company already has an e-mail server, encryption software or a security appliance can provide an additional layer of security. Any information sent into –or out of — the company is encoded.

And according to the Gartner analyst group, that’s a very good thing. Gartner figures reveal that 84 percent of high-cost security incidents occur when insiders send confidential data outside the company without properly securing the data.

Obviously, there is no need to encrypt everything. The majority of e-mail communications such as inviting a customer to visit, scheduling a meeting, marketing invitations, sales requests, product news, non-sensitive business communications, HR updates, travel plans and internal communications that stay within the company need not be encrypted. But there are messages that merit protection.

“Standard e-mail has the security of a postcard,” says Putz. “Any e-mail should be encrypted if the contents are sensitive in nature. This can mean that the e-mail contains intellectual property, legal information or personally identifiable information such as health information, social security numbers or trade secrets.”

Encryption Methodologies
There are several different approaches to e-mail security. Big companies sometimes utilize digital certificate-based e-mail encryption. This requires understanding the intricacies of certificates or “electronic keys” which are used by the sender and recipient to keep contents free from prying eyes.

“These electronic keys are very similar to numbers on a number lock — a string of characters used to lock the e-mail,” said Sundar Raghavan, vice president of solutions marketing at Postini Inc., a communications security company. “Once locked, the data looks like a set of garbled characters until it is unlocked. The sender and receiver share a secret electronic key to lock and unlock the messages.”

Most e-mail server-based encryption uses this digital certificate technology. Popular standards such as Transport Layer Security (TLS) or Secure Multipurpose Internet Mail Extensions (S/MIME) use these methods to add encryption to the transmission of e-mail.

Digital certificates, though, can be complex, management intensive and can sometimes exert a drag on server performance. “Encryption and decryption are processor-intensive activities that can slow access to stored data,” warned Moore.

The good news is that some systems are coming on the market that could be classified as small business-friendly. They utilize a variety of tactics to reduce the complexity of key management. Postini provides such technology.

Another methodology is secure Web mail i.e, a link is sent to a message that’s kept on a central secure messaging server. The problem for small businesses, however, is that secure Web mail systems require you to maintain multiple e-mail inboxes, limit the ability to select how long messages can be stored and can also require extensive back-end storage and administration.

Yet another possibility is an e-mail encryption appliance. Such appliances eliminate the management complexity. You plug them in to a mail server where they encrypt and decrypt e-mail automatically. Some also add further safeguards against viruses or Web-content filtering.

Voltage Security is an advocate of a hybrid approach, which might be termed “push” encryption e-mail. With Voltage Secure-mail, the e-mail is delivered encrypted directly to the recipient’s inbox. The person’s own e-mail identity is used as the private key in order to protect messages sent from his or her regular Outlook inbox. Further, recipients don’t need anything to read and reply securely; you don’t need any special tech knowledge or make any changes to e-mails settings The price is less than $8/month or $95 dollars per person per year.

PGP Corporation also offers small businesses a hosted solution known as PGP Desktop E-mail 9.6 for Windows. “PGP Desktop E-mail is a comprehensive e-mail content security solution that protects confidential information contained in electronic mail from being breached while in motion and at rest on e-mail servers,” said Than Tran, product marketing manager at PGP.

“It provides companies with an automated, transparent set of encryption solutions to consistently secure confidential information in e-mail. With PGP Desktop E-mail, small organizations can protect the business and meet partner and regulatory mandates for information security and privacy,” said Tran. A perpetual license costs $149.

Postini, meanwhile, provides two on-demand encryption services for SMBs. These are available on-demand, with no need to purchase hardware, software, installation, integration or upgrades. Its Transport Encryption Service provides encryption between a company’s e-mail server and those used by others. It employs TLS to automatically encrypt e-mail connections. List pricing starts at $2,500.

”E-mail messages are sent from your business to Postini’s secure data centers over an encrypted connection, where messages can be scanned for content to comply with your messaging policies,” said Raghavan. “The messages are then delivered in real-time over an encrypted connection to the recipient’s mail server.”

Postini’s Message Encryption, on the other hand, provides encryption at the message level for e-mails to individuals. This is most applicable for companies that communicate sensitive financial and personal information to customers and need a simple mechanism to encrypt those e-mail messages. E-mails you mark as “Confidential” or “Sensitive” are routed to Postini’s data centers to be encrypted and sent to the recipient. Recipients retrieve messages using a simple, secure, Web-based mail interface or directly from their desktop e-mail program. Pricing starts at $77 per person.

For smaller businesses, consultants and other sole proprietors out there, PKWare offers SecureZip Standard Version 11 for free. SecureZIP combines ZIP data compression with pass-phrase or certificate-based encryption and digital signature capabilities. It’s designed to protect files on hard drives, laptops and portable storage devices, encrypt any e-mail attachments and – in Outlook only – encrypt the content in the body of the e-mail too. PKWare also sells an enterprise version for $49.95 per person.

Get Ready
Anyone who thinks that e-mail encryption has nothing to do with small business needs to look at the numbers. Postini processes two billion messages a day. Based on its traffic analyses, about 15 percent of all traffic is currently encrypted and that number is steadily growing.

More and more SMB customers are choosing to deploy on-demand solutions for encryption,” said Raghavan. “SMBs cannot afford to take the risk being in violation of encryption laws.”

Drew Robb is a Los Angeles-based freelancer specializing in technology and engineering. Originally from Scotland, he graduated with a degree in geology from Glasgow’s Strathclyde University. In recent years he has authored hundreds of articles as well as the book, Server Disk Management by CRC Press.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.