Lock IT Down: Does e-mail security pose a risk to e-commerce?

The impact of e-mail security concerns on e-commerce

Each day, millions of e-mail messages rush across the Internet carrying personal notes, press releases, sensitive information, and business correspondence. A 1998 survey by eMarketer , for example, said e-mail messages sent in the U.S. number 9.4 billion each day or 3.4 trillion for the entire year.

While e-mail’s speed and capabilities make its importance obvious, one question lingers: Is e-mail secure?

Why security is an issue
One of the main problems with e-mail security is that a single message usually travels through many “hands” to reach its destination. The average e-mail message moving across the Internet passes through 10 Internet servers before it reaches its final destination.

Messages are also broken into packets of information, traveling to their destination over different paths. The trip can even go across networks—such as an Internet backbone to a wireless network—using gateways that help the networks communicate the information.

There are several points along an e-mail’s path where security can be compromised:
  • An e-mail message can be tampered with before it ever leaves a company’s e-mail server. A company’s system administrator has access to user names and passwords that allow full access to read, alter, delete, or create e-mail using any user’s name.
  • A company’s e-mail server or an ISP can be targeted by a hacker and messages copied as they pass through another server. Hackers can place a “watchdog” program on an Internet server to look for specific e-mail addresses or e-mail from a particular domain. When the program recognizes an e-mail message, it copies it and sends the message on its way so that there is no obvious security breach. While access to e-mail using this method is haphazard, mail could still be altered if it is intercepted.
  • Companies that connect to the Internet through an ISP should know that the ISP’s employees may also have access to e-mail messages passing through an ISP server.
  • E-mail messages can be interfered with on the destination server. In the same way that the sender’s system administrator could potentially alter a message, the system administrator on the receiving end could read the mail and have unlimited access to change or delete messages.
  • Problems with the authentication of senders and recipients can make it difficult to confirm whose messages are coming in and who is receiving them. Since e-mail is anonymous media, without security there is no assurance that you are corresponding with the person listed on the e-mail. Encryption applications such as Pretty Good Privacy , however, provide digital signatures that can help you identify the person with whom you’re corresponding.

Archiving e-mail
Once an e-mail has arrived in the company inbox, CIOs should consider securing any business-related e-mail. Simply deleting sensitive e-mails doesn’t work for two reasons. First, because most servers automatically make backups of e-mail, and second, because, despite what employees may think, e-mail messages are the property of a company and can be confiscated by law enforcement agencies through your hard drive or your company’s e-mail server.

Last year, for example, the government used e-mail from Microsoft chairman Bill Gates in their antitrust case against his company. The e-mail the government used was from messages that Gates had sent three years before.

A much better strategy for dealing with e-mail is to archive important e-mail and make sure the archive is secure.

Methods for archiving e-mail messages differ depending on your system and the number of messages handled. One tool that is used to archive e-mail is the Universal Mail Archiver, which allows users to archive e-mail from their desktops. Microsoft Outlook also has an archiving function.

Reality check
As vulnerable as e-mail seems, there are several factors that help keep it secure.

To ensure the security of truly sensitive company e-mail, businesses should consider using a 256-kilobit encryption code. Encryption software uses complex mathematical algorithms to encrypt messages. You can also use an encryption program to create digital signatures for authentication, which identifies the origin of a message and its user, and ensures that the message has not been altered.

Encrypting sensitive e-mail messages is a relatively easy process and can be done with individual messages or on the e-mail server. Several sources for encryption software include Pretty Good Privacy, McAfee, VeriSign, and RSA Data Security.

Security for massive amounts of e-mail, which may include sensitive information such as credit card numbers, should be set up through a Web-based form page, not a regular e-mail account.

Effects on e-commerce
A breakdown in e-mail security can hurt an e-commerce company in several ways; however, the most significant detriment is the loss of consumer confidence. An e-commerce company that can’t keep its servers secure can’t expect customers to trust it with their transactions.

CIOs should encourage their systems administrators to take adequate security measures including:
  • Limiting the number of people in-house who have full access to the e-mail server.
  • Investigating and implementing a system-wide e-mail encryption program.

CIOs also need to let their customers know about the level of security provided for e-mail. Assuring customers that their e-mails are secure can alleviate fears about privacy, transactions, and other correspondence sent by e-mail.

Additional resources
Yahoo’s security and encryption page

Everything E-mail
What measures does your company have in place to protect its e-mail? Where are companies most vulnerable? Post a comment below or send us an e-mail.

Editor's Picks

Free Newsletters, In your Inbox