* One organization’s resistance to e-mail encryption
I received an interesting message from a member of our survey panel in Australia, a message that really highlights the difficulty of deploying secure and encrypted messaging in some organizations.
Here it is:
“About a week ago, I noticed that our CEO had sent some highly sensitive information by e-mail, and I sent a broadcast to all staff reminding them that any e-mails sent unencrypted over the Internet are available to anyone who wants to intercept them. As a general rule, confidential information is accessed via our extranet, which requires a login and has SSL encryption.
“I was later questioned about the memo at a management meeting. The initial response was, ‘We don’t want PGP; we’ll just use Microsoft Word’s password feature.’ I then explained the reason for calling these passwords ‘45-minute passwords’ ([so called because of] the time it takes to break a longish one using software freely available on the Internet).
“I was then told that our staff would continue to send via e-mail because it was convenient. My response was simply that our new e-mail system makes it impossible to delete anything. My reminder to all staff would be stored permanently there, and that if anything was compromised by our people in the future, the legal team of other institutions would have access to our e-mail and could easily identify the culprit (dead silence).
“Finally I was told, ok, we obviously need to do it… perhaps we can see how the Australian legal firms are handling this problem, and follow their lead.
“I’ve spent the better part of today talking to the IT managers of various large legal firms in Australia, and despite the fact that I’ve found numerous Australian legal resources warning of the dangers, and that the Australian government seems to have put out recommendations of their own, I have yet to find anyone who is using any form of encryption on their outbound e-mail. The best I’ve got are people who are looking at using WinZip passwords, and people who are investigating the technology, but believe that it is still too immature.”
This points out a couple of things. First, it’s absolutely critical for some functions within an organization to have easy and ready access to secure e-mail for sending confidential documents, employee information and the like. Not only is this good practice, but also it is increasingly required by statutes like the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, and so forth. Second, some organizations don’t seem to want to address a problem before getting burned by it; most organizations have not suffered a serious breach of their e-mail system by hackers or snoops, and so seem loathe to implement secure messaging to prevent a problem that they do not perceive as sufficiently serious.
I’d like to get your thoughts on the difficulties surrounding deployment of secure messaging – please drop me a line at mailto:michael@ostermanresearch.com Many thanks to the individual who provided the basis for this article.




