The Canadian Securities Administrators recently advised financial services firms, issuers and financial professionals to review their online security measures in the face of increasing threats. The advice comes as a reminder that, while communicating online has become the norm, sensitive and private information sent by email can be vulnerable.
Ann Cavoukian, Ontario’s information and privacy commissioner, offers the following three steps you can take to ensure your email correspondence is secure:
1. Consult your IT department
If your firm has a technology department, ask what its standard is for protecting emails from possible hacking.
For example, Cavoukian says, internal emails sent within her office do not need to be encrypted because those emails stay on the organization’s secure intranet server.
Find out if your firm has a similar measure and what technology is available to protect emails sent externally to clients.
2. Encrypt, encrypt, encrypt
The effectiveness of encryption has come into question lately, especially following recent reports that the U.S. National Security Agency has been decoding and monitoring Americans’ encrypted online data.
However, Cavoukian says, encrypting data is still better than leaving it in plain text that is accessible to anybody.
Public-key encryption, which can be purchased through public-key certificate holders such as VeriSign and GlobalSign, is the gold standard, according to Cavoukian. A certificate holder provides a “public key” for the email’s sender and a “private key” used by the recipient to decrypt the message. To learn more, do an online search of “ssl certificates.”
An alternative system that is accessible online is file transfer protocol (FTP). You can upload sensitive documents to a secure FTP site; your client accesses it through the use of a password.
3. Use strong passwords
Decrypting information requires a shared password between you and your email’s recipient. This password should be shared in person (and not by email or text message) so that it cannot be intercepted by undesirable sources.
The challenge in creating an effective password is to make it both unpredictable and easy to remember. One effective method, Cavoukian says, is to use one word in two languages side by side.
For example, take the word “door” and the French translation, “porte.” Your password would be “doorporte.”
If you want to make it even more difficult to crack, insert a number between the two words, and consider using a language other than French.
> Ensure your clients’ emails are secure
When your client responds to an email or initiates an online conversation with you, his or her personal emails should be secure as well.
Some email providers, such as Google’s Gmail, have encryption enabled by default, says Cavoukian. You can tell by looking at the website address bar; the address will start with “https” as opposed to “http.” The “s” indicates the email is secure.
If your client’s emails are not secure, he or she may choose to use a different provider or encrypt their messages using a public-key certificate holder or FTP.