3 Rules for Email

Max Clark

Nov 7, 2016 • 4 min read

#1 Secure your email account

Your email account is the central point of your digital life. If you lose access to it, or more importantly if someone else gains access to it the damage can be catastrophic. Every service you use online links back to your email address.

Think about it, what do you do if you forget your password? You click the convenient link provided in the signup form for a password reset to be sent to your email. If someone has access to your email every single one of these password reset tools are instantly vulnerable.

Your banks, credit cards, mortgages, car loans, insurance, medical records, cell phone, social media, photo albums, instant messaging, text messages, etc… all are linked to your email account. This is not theoretical or fear mongering. Celebrities have had their private photos “hacked” from iCloud, Companies have lost millions of dollars, people have lost thousands of dollars. The list goes on and on and happens over and over again.

Use a unique (more on this below) and strong password for your email account. If you don’t know what that actually means Bruce Schneier is one of the world’s best know cryptographers (and as an aside almost made my brain explode when listening to his lecture on elliptical curve cryptography) and wrote a great guide on how to choose a secure password. If you glean nothing else from this post this is the part you’ll want to remember.

Enable two factor authentication (2FA) on your account. At the very least you can do this by enabling text message verification when you sign in. For something much stronger use a time-based one-time password system (TOTP). If you aren’t familiar it’s a system that generates a unique string of numbers every 60 seconds. Don’t worry it’s not complicated to use and there are plenty of free utilities out there like the Google Authenticator.

I use 1Password to generate my long, complicated, unique passwords, manage my 2FA strings and securely replicate across my devices. There’s competitors to 1Password you can pay for, or even open source (free) tools like KeePass if you are more technically inclined.

#2 Assume everything you write is public and will be read at the absolutely worst time

What do Sarah Palin, The Climatic Research Unit, George H W Bush, Sony Pictures, and Hillary Clinton have in common? They’ve all had very public compromises of their email systems and the contents released publicly. This is by no means a definitive list either, every few months another massive trove of email makes its way public onto the Internet.

Not convinced? This is a story of what happened to a customer a few years ago…

An executive at this company setup a rule to forward their corporate email to their personal account for convenience. At some point they registered for accounts on various web sites (some of which were not fans of the company) using that same personal email address. This was easily tracked back to the personal email account, and either due to a non-unique or weak password the personal email account was compromised. The hacker ultimately leaked a rather large archive of email which included source code, financials, sensitive HR files, corporate strategy and negative conversations about customers.

Everything you write is out of your control the moment you press the send button. You can use the absolute best security measures on your email account, but what about the person on the other side? Did they print out your email? Forward it to another person? Is their email account secure? Most people don’t delete their old emails, can you trust that they will keep their email secure for the rest of time? Oh and by the way, most email servers don’t use any form of encryption when your message is transmitted, so that data exchange is public as well.

#3 Delete your email

Seriously, just delete your email. If you really need it for some reason save it to a proper knowledge storage system like your CRM, Evernote/Onenote, a PDF on your hard drive, etc… If the email thread is really that important going forward how does having to open your email and remember the critical details for searching for it help you.

Storing your email for an unlimited amount of time increases stress on you, resource drain on the email system, increases the potential damage caused by unauthorized access, and leaves it available for legal electronic discovery.

If you’re not familiar discovery is one of the first steps in any legal proceeding. The opposing lawyer will request all pertinent files related to the case including your emails. All of your emails.

*I am not a lawyer, not qualified to give legal advice, and you always consult your attorney first, but they would probably tell you that if you are party to, or believe you are about to be a party to a legal proceeding do not destroy anything. This includes email!

What you should do, and what I advise my clients to do is create a document retention policy and adhere to it. Email is the easiest place to start since the policy can be placed globally for all accounts at the same time and automatically applied based on preset rules. The workload on your staff to respond to a discovery requests when you only save one year of email is drastically different than if you have to sort through, organize and clear years upon years of messages.

Besides, while you now have a sane email retention policy chances are the other side does not. So instead of you spending the time and money to pull everything for discovery the other side will have to waste theirs and give you a copy.

3 Rules for Email

Max Clark

#1 Secure your email account

#2 Assume everything you write is public and will be read at the absolutely worst time

#3 Delete your email

Sign up for more like this.

How Can Zero Trust Security Modernize Your Organization’s Cyber Defense?

4 Ways AI Innovations in Data Centers Drive Efficiency and Reliability in IT

Top Cloud Storage Trends and Management Strategies for Businesses