Over the past few months, I’ve had several conversations about emails and the security thereof, these usually end up with the other person gasping when they realise that lack of security “normal” email offers (also the fact that email delivery is not immediate, but that’s another post!)
Yes it is a pain that customers can’t just email you their personal and private information, but if you let them (and that includes providing a public email address on your website) then you could inadvertently end up processing this without realising it.
So what to do about this then:
- Don’t publicise email addresses (this reduces you spam as well)
- Get an SSL Certificate on your website (https://)
- Use a contact form to allow information to be encrypted in transit – Contact Form 7 is easy, simple and free for WordPress
- DO NOT have this information emailed to you by the website – this isn’t encrypted in transit
- Use something like Contact Form DB to securely capture the data and then email you a secure link to access it
That’s all well and good, but how do you reply back?
That’s the tricky bit! Realistically you need to look at a Secure Post Office solution like RMail or (if you use it) Office 365 Message Encryption. NB: Emails between the same email system (so GMail to GMail, Office365 to Outlook.com) don’t need to be encrypted as they never leave the providers systems – however establishing what systems the other person are using is not straightforward!
So what am I saying here…
It’s really about educating everyone involved. Even if the other party insist that you email something and it’s OK as you’ve “password protected” (note that’s not encryption) then you simply can’t risk it. If this is the sort of thing you regularly need to do then you need to put something in place to deal with it.