coderchris.com

It always amazes me how little secure and reliable communication methods are implemented by companies who really should know better, and email is one of the worst.

In my day to day job I deal with a lot of different companies of varying sizes who work within the financial services industry and it amazes me how many of these companies still use email as their primary communication method for accepting leads from introducers.

Standard email is not safe and it's certainly isn't reliable for the transfer of sensitive information across the Internet, and as a result our company refuse to work with it in the majority of situations, but we seem to be the exception.

Email is insecure for a number of reasons but the primary one is that it's one of the few regularly used online services that still communicates just in plain text. What this means is that anybody can potentially intercept a message you send across the Internet and simply just read it and find out what you were sending.

This is true for most other basic Internet services too, such as HTTP (used for browsing the web), FTP (used for uploading and downloading files across the Internet)  and others but the difference with these other communication methods is that secure versions of these exist (HTTPS, SFTP...) and are regularly used in the areas that require it.

Email is different. There is no standard, transparent secure version of it and the current methods that can be used for securing email are often tricky to implement.

The other problem with Email is that it's not a direct communication method. Every email you send generally passes through at least 3 or 4 different servers before it gets to you, and could be lost at any point in that 3 or 4 server chain. For example, if I look at the email headers of a message I send from my work account to my home account we can see that the email passes through x locations before it gets to my server:

This means that communications over email can very easily break down, and when the very thing your business relies on the distribution of various communications to various people and the people this can end up costing a lot of money.

This is why we choose to communicate with partners using webservices of varying complexity over HTTPS.

Webservices allow for direct communication between the sender and the receiver, and as a side effect of this the communication between the send and receiver can easily be made as complex as necessary to ensure security of the communication being sent and the verification of the data transmitted.

Webservices running over HTTPS can further improve the communication process by shielding it from prying eyes by encrypting the information in a format that cannot be deciphered by a third party.

I don't know if it's cost or naivety that prevents these companies form implementing secure webservices as an alternative to email but they really should, for the reasons I've stated. Not only that, but when looking at the data protection issues surrounding this, it's ridiculous to have a water tight data protection policy within an organisation  to stop prying eyes within the company accessing users private information, but when this information is freely sent across the Internet by email there's a gaping great hole in your data security.

Most of the companies I work with are FSA regulated which means they have to be very careful about their data-management, but I don't think they're obliged to use secure communication methods rather than email, but in my opinion they should.

So that's it, rant over, maybe one day we'll all be able to use the Internet safely....

Popularity: 13% [?]