With the management of information also comes the responsibility to secure and verify. Having been around since the early 90s, use of the OpenPGP standard - Pretty Good Privacy (or PGP) in email is arguably one of the most neglected information security measures by companies and individuals.[acp footnote]Though the terms PGP and OpenPGP are now used interchangeably, strictly speaking PGP is a company name and trademark now owned by Symantec Corporation. OpenPGP is the name of the standard for encrypting and decrypting data.[/acp] Here are 3 reasons why you should begin to use it if you haven't already started to:
1. Encryption ensures that only the sender and intended recipient can read the contents of messages
One day you show up for work and find everyone in panic as it turns out that the company's email server has been hacked. All of your plaintext emails have been placed on a public forum, including your private communications with customers and colleagues.
Embarrassing? Yes. Highly damaging to your business reputation? Ditto. Now if only you had used OpenPGP to encrypt the contents of those messages. At the very least your internal communications between co-workers would have been secure and you wouldn't have to read about out what Jim the CEO really thinks of Bob in marketing.
2. Validated digital signatures prove that you are who you say you are
You log in to your email account late one day in a rush and find an email from Nick the IT guy. Since he needs to run some critical upgrades, he's asking if he can have the password for your company email account. You glance at the email address and see that the name and email address all checks out, so without further ado you hit the reply button, type in your password and send the email.
The next day you wake up to find chaos....not only can you not log in to your email account any more, but every service tied to that email account no longer works. Your website and e-commerce platform has also been hacked and apparently you've been sending emails to your customers, confessing about all sorts of embarrassing (though untrue) details about your products.
Your company loses money, time, and its reputation. If only you had used OpenPGP to verify that Nick the IT guy really was Nick the IT guy...
3. It proves that a message was not tampered with between sender and recipient
A big dispute has erupted between you and one of your buyers. This company had requested to make a bulk purchase of goods. Having sent your account payment details to a contact at the company, this was subsequently forward on to their finance department. The problem is that the company claims that they have made the payment even though nothing is showing up in your business account.
You call the company to re-confirm the payment details, only to discover that what is now in that email is not what you originally typed in. Somewhere along the line, someone either mistakenly or intentionally changed those details. You stress that the email was changed, but since anyone can spoof an email without a signature, no one can prove that it wasn't your mistake. If only you had used OpenPGP to sign your email...
These are just a few brief examples of why you and your company should be using OpenPGP. In a future post I will go over specific software and training approaches that companies and individuals can use to streamline the use of this standard in their communications.[acp footnote]The OpenPGP standard can also be used to encrypt and sign files.[/acp]
[acp footnote display title="Notes" /]
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.