The Founder’s Guide To Email Security

With the horror of the Sony Pictures breach unfolding in slow motion before us, we are reminded that operational security – OpSec – is absolutely key at any company. Whether or not you traffic in high-value data, the expectation that your servers are secure enough and that your data is worthless is foolhardy. You will be compromised and it will hurt.

The primary vector for the vast majority of attacks is email. If your IT department and firewalls are working correctly, the chances that you will be hacked in your back end are low. It will happen, but the juiciest stuff is in your email archive. It is in email where your employees converse, where you trade credit card numbers and passwords, and where all the damaging one-off notes end up. In short, we’re all idiots for trusting email at all, but there are ways to reduce that idiocy.

Here are two major steps you can take to make your company more secure.

Delete Your Email

While there may be some pressing legal reason to keep gigabytes of email in your mailbox, most of us can safely dump messages after a preset amount of time. “But that’s important customer information,” you cry. No it isn’t. And if it were you’d want to keep it in a CRM. “But I have a great system of folders and action items!” you scream. No, you don’t. You have a shitload of email. If you must keep your email, dump it all into a searchable database like DevonThink and keep it off your mail server. Are all your color-coded action folders important to you? Buy a notebook and write stuff down. I delete 98 percent of my email. If it keeps, it’s an accident or I think I may need to act on it in the next hour or so. An email archive is a garbage pile that is chock full of exciting information for hackers. Get rid of it.

Encrypt Your Email

I’m going to recommend GPGTools as an encryption solution for OS X. You can download Mailvelope for cross-platform Gmail encryption but GPGTools is a full-featured system that can encrypt documents on the fly, something Mailvelope can’t. If you’re running Windows then there are other options, including GPG4Win. Linux users are smart enough to install their own PGP solutions. For brevity’s sake, we will focus on OS X.

1. Install GPGTools. Download the tools from here. Install them.

2. Generate a public/private key pair. You will install something called GPG Keychain. This will contain all of your public and private keys. Your public key is just that – public. This is the key you share with the world. Your private key should be guarded with your life. Do not give it up to anyone and be very careful when you export it.

Screen Shot 2014-12-12 at 3.04.03 PM

When you generate a key, use a complex passphrase. “I love the song 99 Luftballoons!!” would work as would “d4D99AX!0^xpork is my password.” “I like mom” or “porkninja” are too simple. This is a password you will use often so make sure it is something that you can easily remember and quickly type. The enemy of good password protection is frustration. Select “Upload public key” before you generate the keys and they will be sent to a popular key server like PGP.MIT.EDU or Keybase.io. These repositories allow people to look up your key and use it to sign emails to you.

3. Fire up Apple Mail. Now you should be automatically signing emails as they go out. This means you are taking part in a public key cryptography system. Not only are emails “signed” with your public key useful to confirm you are who you say you are, they also allow folks you’re conversing with to encrypt their messages to you. You do not have to exchange private keys with people to use PGP.

At its core, PGP systems use public-key and symmetric cryptography. In short, if Bob and Alice are conversing, Bob’s private key and Alice’s public key combine and Alice’s private key and Bob’s public key combine and these two keys are used to create a unique key. This ensures only Bob and Alice can decrypt the messages. You can also encrypt messages to and from groups, and most platforms should support that. Your mileage may vary.

Screen Shot 2014-12-12 at 4.47.17 PM

There you have it: those two blue icons mean the email will be signed and secure. My emails with Natasha will now be forever secure! Huzzah!

4. Use PGP for all internal mail. Please. Do it. The garbage pile that is your email cache will become useless to a hacker and private information will stay private. I know you can’t use PGP with everyone, but never send emails that you would consider confidential without it. Encourage those you do business with to join you in PGP and encourage other founders to read this and stay safe.

While I understand that the Sony breach probably consisted of a number of compromised email accounts without protection, it also points to the possibility of a mail server dump. Most of that mail was probably plain text. The goal is to have none of it plain text.


Ready to join our super-secret spy network? These are our public keys:

John Biggs
Natasha Lomas
Frederic Lardinois
Catherine Shu
Jon Russell
Matthew Panzarino