I’m going to let you into one of the IT industry’s dirty little secrets (shhh; don’t let on though). Email is insecure. What, you knew that already? You’re not alone. But if you knew that, why haven’t you done something about it? Again, you’re not alone: very few organisations in the legal sector have.
To understand why, we have to look back several years to find the root cause of this issue. When the UK first got PCs and always-on connectivity, there was little understanding of the risks. Our operating systems were wide open to attack from hacking and viruses, but the IT industry left the end users to sort it out. Few understood enough about the problem to even go looking for a solution. Yes, you could obtain anti-virus software (normally at a cost) and yes, you could obtain firewall software (if you knew what that was). The result was millions of unprotected PCs, with large numbers under the control of criminals and hackers. Data was compromised and bank accounts accessed.
The IT industry realised that leaving complex security risks to the end-user to sort out was a galactic mistake and today your PC will come with some form of anti-virus installed, a built-in firewall in your operating system and one in your router (modem, ADSL gadget). You probably don’t even know these things are there any more. In parallel to this, the use of the internet for transactions grew and grew at an incredible rate and again, the IT industry realised the security implications and now nearly all transactions on the internet are done under https: (SSL, the little padlock on the browser indicating the site is secure). This protects users’ information travelling across the internet by encrypting it.
The IT industry has done a good job, right? On the whole, yes. But this sense of safety comes at a price – complacency. If all this has been done to protect you, how come email is still so insecure? How can I justify protecting information for transactions on the web using encryption (https://) but then send confidential information in email in clear? You can’t. It's a glaring inconsistency and points less to a technical problem and more to a cultural problem.
Email is insecure. Fact. I’ve had long and pointless debates with people who simply do not believe this to be the case, but it’s true. The protocols that are used to transfer emails around the internet do so in clear, open text; they’re readable in transit by anyone in the chain. It’s essentially the same as sending a document through the postal system without an envelope. Anyone who handles it can read it. If you’re still not convinced, you only need to look at other sectors. The FSA (as was) was clear about not sending client data in unprotected emails. The banking industry simply does not send email because it cannot secure it. The government has its own secure intranet to communicate with themselves and of course the Criminal Justice Secure Mail system to enable some legal firms to communicate with the justice system securely. Simply put, they know email is insecure. This is now beyond debate.
But if the IT industry has solved the other security problems, why have they done nothing with email? Well, like the issues outlined above, there are tools available, but they’re difficult to use and not really adoptable by the average end-user. Many have been around for years. There are three basic types. PGP, PKI and document exchange technology. I doubt you will have heard of the first two, they’re complicated: before you can communicate with a recipient you would need to convince them to buy and install the right email encryption software, generate a key, exchange the keys with you and then you can securely email each other. But most won’t get beyond the first stage. The complexity is too high and the process too onerous for the mass market to adopt. Hence most organisations simply do nothing and emails in their billions are whizzing around carrying client confidential information in clear. The third solution historically was the document exchange companies. Many will promote the service as email but they all work fundamentally in the same way. The sender uploads a document (often using an add-on to their email) and the recipient is then emailed and told they have a document waiting. The recipient then requires a registration and user ID and password to retrieve their document, most often through a browser. This is better than doing nothing but also has limitations. The risk of phish attacks is increased and of course managing the recipient user ID and password can be an overhead. Some of these solutions even send the user ID and or password in clear via email (forgotten password process) - arguably rendering the whole security process pointless.
Without viable solutions to the problem, how could the legal sector deal with this?
What can be done?
There are three steps. The first is that you accept that email is insecure. To deny this is now almost impossible but there are some that still fight their corner. The second stage (if you accept email is insecure) is to decide upon how high a risk this is and the priority you set on a solution to mitigate it. The third step is the selection of a solution to the problem.
The prioritisation of this problem should now be clear. It should be a high priority. There are many reasons for this. The first is that security is as much about perception as reality. We do not question who it is that might intercept our credit card numbers when we buy a book from Amazon but most consumers are now educated enough to know that you simply do not transact with a web site that is not protected. Our customers expect us to look after their information. The second reason is that our customer base is ever more educated on such matters. With privacy and cyber crime now in the media on a regular basis many of your customers will be aware that email is insecure. The third reason to prioritise this issue is that with fault come claims. It will not be long before the incidents of confidentiality losses and data protection breaches start to turn into claims. It is important that you are able to show that you have taken reasonable steps to protect the client data. Doing nothing is no longer a reasonable step.
The fourth and final reason is that there are now solutions on the market that are viable for mass market use. Document exchange technologies allow you to upload documents to a secure web site (often from your email package) and the recipient is emailed that there is a document to collect. There are still issues with this approach, such as the increased risk of phish attacks and the fact that the recipient needs an account with the document exchange company. But there are options. A next generation solution such as mkryptor from Fresh Skies requires no software at either end, is completely device independent and most importantly, is very easy to use with no complicated processes, or keys, or other techno jargon.
With such options available now, what will be the defence put forward to a breach of confidentiality through email issues? Clearly it will be hard to justify doing nothing in the face of an understood risk and the availability of viable, cost-effective solutions. The legal sector regulators and industry bodies are starting to step in now and follow where other regulators have already led. The consumer base has higher expectations of privacy and care of their data. The consequences of failure are also being reviewed in data protection terms in the EU. In future, failures in this area could result in reputational damage through a requirement to inform all those whose confidentiality has been breached. Is it sensible to push things that far – or wiser to put in place the processes and mechanisms that will help prevent such issues occurring in the first place? Prevention will certainly be better than cure.
Hailsham Chambers and 2 Hare Court are leading the way with their use of next generation email encryption products and many more are following suit. Early adopters of new technology can reap the advantages of first mover and it often takes some of these leaders to help drive the rest of the industry to act. The culture will need to change and attitudes to customer data and security will need to improve in many sectors including legal. There are at last encouraging noises out there and the leaders are enjoying the customer benefits that ensue from a healthier approach to information management.
Simon Freeman is a Cloud computing pioneer and online business expert with cross-discipline knowledge and experience. With a background in artificial intelligence and philosophy, His career scopes from the very first versions of Netscape in London (for this new thing called “the internet”), through banking in New York and Milan,