Читать книгу Start-Up Secure - Chris Castaldo - Страница 15

Email has become a digital repository for nearly everything in our lives. From communicating with our children's teachers at school, to our doctors, to our accountant when filing our taxes, it is a literal treasure trove. On top of just the sensitive data in one year of sent and received emails, our email accounts are now the key to accessing nearly all of our other accounts in other systems. Think back to the last time you reset a password. You most likely received a password reset link to your “email address on file.”

Email is not secure. This is a bold statement, so let me explain. While you may log in to your email provider that uses HTTPS – S stands for secure – in their web address, when you click to send, that email will be transmitted unencrypted across the Internet. For example, if someone was able to intercept that email when it leaves your email provider's servers they could read the entire contents. For many start-ups, it is not feasible to build and maintain their own email server, so they rely on services like Google Workspace (formally G Suite)¹ or Microsoft O365.

It is important to establish an enterprise-level email account once you register your company domain name. Operating from your personal Gmail, Live, Hotmail, or iCloud email limits the security controls you can place around your account, and does not lend to the credibility of your start-up.

Both Google Workspace and O365² are referred to as software-as-a-service (SaaS), which means you don't own any software that you install on your desktop but pay a monthly or yearly service fee. However, there are services such as Virtru³ that are compatible with those services, both on your desktop and mobile devices, and that allow you to encrypt your emails and control if they can be forwarded and even set an expiration date. This does not prevent someone from copying and pasting the contents or taking a screenshot but would prevent a malicious person from eavesdropping.

For many entrepreneurs, email is not the only means of communication. Surprisingly, many companies operate by text message. Shorter messages that usually get a faster response than lengthy emails can keep start-ups agile but can also pose a risk. Short message system (SMS), also commonly known as text messaging, is insecure like email. You are completely reliant on your cell phone provider's network to provide security of your message. However, when it is transmitted it is unencrypted and you have no confirmation if it has been intercepted or even modified.

I recommend using programs like Signal⁴ or Wickr⁵ that provide end-to-end encryption, meaning the provider of the service cannot view or even decrypt your message. While too lengthy a topic for this book, this type of messaging is also referred to as zero knowledge encryption, where the service provider has no knowledge of encryption or decryption keys. Some of these providers also have the ability to set an expiration date on messages so they are automatically deleted from the recipient's phone after a specified amount of time. Sometimes, as a start-up, you can't follow every rule of the book to get things going; maybe it is more convenient to quickly share an administrator password to some system and then create a new user. Tools like Signal and Wickr can help you do that quickly and securely.

Chat programs like Slack⁶ and Microsoft Teams⁷ (included with Microsoft O365) have become hugely popular in large and small businesses alike. It provides an easy-to-use platform to collaborate across teams and physical distances. Like all services, there can be limitations to security based on cost. Some free versions may not allow the same amount of control over data within the platform that you would get if it was paid for.

It is critical to understand the difference between free and paid versions of the same product as well as to read through the terms of service. Most of these platforms encrypt data when it travels over the Internet but may not store it in an encrypted state. The ability to scroll back to the very first message is convenient but also comes at a risk cost of that data being stored somewhere, possibly encrypted. And if that service provider suffers a data breach, it could reveal your chat logs. If it is critical to have total confidentiality and integrity over the messages or data you need to share, then don't use chat platforms.