Big Brother: Being Watched at Work and the Truth about Email Security at the Office

by Carrie Foor, CareerBuilder.com

Do you feel secure? If so, you must be a good corporate citizen. You are on time every day, contribute effectively and courteously in meetings, and your appearance is impeccable. You could be a contender as Trump's next Apprentice. Of course, no one knows that you're more like Andrew Dice Clay when you email your co-workers and friends. Or do they???

"You should assume that anything that you have ever sent via email is accessible by your company and others outside your company, even if you've deleted it," explains Erik Kangas, President of Lux Scientiae (LuxSci), provider of premium secure email services to a plethora of clients including large corporations, law firms, medical firms, retailers and individuals. Kangas explains that, when you use your company's computer system, your employer has a right to review your communications -- this means your email and Internet activities. If your email communications demonstrate a poor work ethic, lack of tolerance in the workplace, or even worse -- use of company systems for non-work activities -- you could be in hot water with the boss before you know it. "After you.ve deleted an email, it still can reside on any number of servers for years," he explains. Emails can be retrieved and read by your employer as long as there are backup copies.

Even if you are a stellar employee, misuse of information technology by others in your company can cause you problems. Kangas explains that there is potential for misuse by Information Technology personnel and others who have systems knowledge. So be nice to IT. "If you are not using some form of encryption, anyone in the company with computer knowledge can spy on your email while in transit or use your password to send emails as though they came from you," warns Kangas.

Here are a few security issues Kangas outlines on Lux Scientiae's website, luxsci.com:

Eavesdropping: Just like someone in the next room listening in on your phone conversation, people using computers "near by" the path your email takes through the Internet can potentially read and save your messages and other personal information!

Identity Theft: If someone can obtain the username and password that you use to access your email servers, they can read your email and send false email messages as you.

Invasion of Privacy: Recipients of your email can tell what IP address your computer has, which may be used to tell in which city you are located or even to find out what your address is in some cases!

False Messages and Message Modification: Anyone who has system administrator permission (even if they are not supposed to) on any of the servers that your message visits, can not only read your message, but can delete or change the message before it continues on to its destination. Your recipient has no way to tell if the email message that you sent has been tampered with or not! And, if the message was merely deleted, they wouldn't even know. Messages can also be sent to appear to be from someone other than who they are actually from. -- modern computer viruses and spammers often send email forged so as to appear to come from people other than the actual senders.

Unprotected backups: As messages are stored in plain text on all email servers, any backups of these servers' disks may also contain plain text copies of your messages. As backups can be kept for years and can be read by anyone with access to them, you messages could still be laying around in insecure places even after you think that all copies have been "deleted".

Repudiation: Because email messages can be forged, there is almost no way for you to prove that someone sent you a particular message. This means that even if someone DID send you a message, they can successfully deny it, claiming forgery or identity theft. This has implications with regards to using email for contracts, business communications, electronic commerce, etc.

So what can you do about it? Kangas makes the following suggestions:

• Know your company's privacy policy: "Many companies have a privacy policy that clearly delineates the company's expectations regarding electronic communications and related punishments for misuse," says Kangas.
  
  
• Use encryption: "You can use various types of encryption to safeguard the messages themselves against such things as eavesdropping, repudiation, unprotected backups, and to ensure that messages cannot be altered," says Kangas. Many companies will offer such features to their employees to protect confidential content.
  
  
• Configure your email to deny read receipts: "If you're worried about someone tracking whether or not you've received their email, you can always choose the 'deny read receipts' option on your system so that the time an email was opened can't be tracked," says Kangas. Talk to your IT staff or email provider, or see your email program documentation for ways to block read receipts.
• Learn more about security and privacy issues and solutions by visiting Lux Scientiae's website or calling LuxSci (luck-sigh) at 800-441-6612.