How Secure is Your E-mail?

By Brian Livingston

(Back to article)

Headlines are flying with stories of incriminating e-mail messages — and the many court cases that have been launched by "discovered" e-mails. That makes this a very good time for you to be securing your corporate communications with new tools.

Perhaps your idea of protecting your e-mail is to exhort your employees not to say anything in a message that would reveal your company's deepest secrets. Or perhaps you're already using more sophisticated practices than this. In either case, there is innovative technology to encrypt and manage your employees' e-mail in ways your employees otherwise couldn't or wouldn't.

Securing and Encrypting Are Two Different Things

It's not necessary to encrypt every message in order to secure your e-mail communications. But it is necessary to encrypt certain messages to certain people in order for you to be sure those messages are secure:

It's Not a 'Get Out of Jail Free' Card. Encrypting your company's messages won't protect you from legal entanglements, such as the e-mails that were introduced as evidence at Microsoft's antitrust trial or in investment banker Frank P. Quattrone's recent "time to clean up those files" trial. Someone will always have saved some readable copy of any e-mail you send. And, in any event, your company may be required by law or custom to preserve readable copies of all e-mails that were sent or received in the course of your business.

It's a Good Measure of Protection Nonetheless. Encrypting can be very important, whether or not you have anything to hide. The purpose of encrypting your messages is not to cover up illegal activity or foil a governmental investigation, but to secure your communications from anyone who might be eavesdropping (including unauthorized in-house staff). E-mails are ordinarily formatted and sent across the wire as plain text, and you might be surprised at how often your co-workers reveal sensitive corporate plans and even network passwords.

While encryption isn't a perfect barrier against e-mails ever being read by the "wrong" people, it's definitely called for in situations where your communications are intended for a small, trusted circle.

The Competition Heats Up

Fortunately, there are innovative developments that are making it a lot easier to secure your e-mail. Starting with the oldest:

PGP Corporate Desktop, from PGP Corp., is the long-time standard in e-mail encryption. After this software has been installed, end users decide which of their outgoing e-mails should be encrypted. The sender's software encrypts each message using the recipient's "public key," a code for which only the recipient has a corresponding decryption key.

FileAssurity OpenPGP 2.0 is a PGP competitor that's due for release within the next two weeks from the upstart company ArticSoft (whose name is a play on "articulated software"). The original 1.0 version was launched only last August. In addition to encrypting e-mails, the new release will have the ability to create compressed ZIP files as well as a secure .pgp file format that can be opened by anyone with a free reader (and the right code), company executives say.

PGP Universal, also from PGP Corp., has broader capabilities than either of the other two alternatives. It automatically encrypts and decrypts e-mails — at the server level, not the user level — between any set of senders and receivers. The list of who shall send and who shall receive secure e-mails is determined by an IT administrator. End users never have to remember to click a button to secure these e-mails before transmitting them. It's done for them in the background. PGP Universal has been commercially available only since mid-September.

Each Product Has Its Boosters and Its Detractors

Steve Mathews, CEO of ArticSoft, said in an interview that FileAssurity is easier for end users to understand and use than PGP Corporate Desktop. The principle of FileAssurity, he said, is "users being able to use security as easily as they might use a courier service [for physical documents]."

FileAssurity has been implemented by a variety of companies from the Union State Bank of New York to the Michigan Public Health Institute, he said.

Stephan Somogyi, the director of products for PGP Corp., said of his company's Corporate Desktop programs that, "They are about as easy to use as current technology permits." End users still need training, he said, adding, "we certainly believe that the ease-of-use can still be improved."

That's one reason Somogyi's enthusiastic about his company's new PGP Universal product. The new software, operating at the server level, allows end users to do their primary jobs, he said. The messages that should and should not be encrypted become "a choice of the IT administrator or whoever is the person making the policy for e-mail."

Somogyi also noted that many companies in the U.S. and abroad want to ensure (or are required by law to ensure) that IT staff can't access and read internal e-mails that are sent from, say, the legal department to the personnel department. PGP Universal is designed to protect e-mails even at this intra-company level, he said.

In response to the need for secure communications without any end user action, ArticSoft officials say they will soon release a new product called Central Administrator. This server-level program will enable admins to set encryption policy without installing any software on client machines, they said.


You may be a novice or a pro at securing information by encryption. In either case, I recommend that you continue learning about the subject by reading an excellent 17-page paper by Ewa Zurawska that's posted at the SANS Institute's GIAC.org site.

If your business communicates any confidential information across the public Internet or your intranet, e-mail encryption is a solution you should implement sooner rather than later.

Small companies may find that products such as Corporate Desktop and FileAssurity are all they need to protect the few, highly sensitive documents they may occasionally transmit. But large enterprises should seriously consider the automatic and corporate-policy–based security provided by the technology of PGP Universal.