10 Email Security Lessons To Be Learned From Climategate

With climate change critics using hacked emails to discredit scientists ahead of COP15, eWEEK looks at what IT managers and security administrators can do to protect their own inboxes

As the United Nation’s Climate Change Conference, or COP 15, in Copenhagen, Denmark, gets under way this week, the summit has been muddied a bit by the details found in scientists’ stolen emails. The emails contain information that has given those who believe global warming concerns are overblown a new lease on life. They are now supporting their opinions with those details. And all the while, the heated debate over global warming is becoming even more divided.

But there are valuable lessons to be learned from the stolen emails. No, this won’t be a discussion on global warming or climate change – that’s a debate for another day in another place. It will be a discussion on what can be learned from this incident to ensure that employees or consumers with sensitive information in their email won’t fall victim to those planning to steal information.

That said, it’s important to note that no security plan will be absolutely effective. Sometimes, data is stolen. But the fact that scientists themselves didn’t have proper security conditions in place to safeguard their email points to a dangerous trend: We just don’t secure our email as well as we should. So let’s take a look at some of the lessons learned from the stolen data and how we can protect our own email going forward.

1. It’s about the password

The first step in any email-security plan must start with the password. Too often, users make a simple password that’s easy to remember, believing no one would care what’s in their inbox. That’s a mindset that gets many people and companies into trouble. Email accounts are not places where a simple password can be used. The stronger the password, the better the chances that users won’t have their emails stolen.

2. Think about encryption

Encryption is a great way to ensure emails that might have otherwise slipped out into the wild don’t. Encryption is admittedly a pain. It requires more credentialing, it increases the amount of time it takes to access data, and most users consider it an extra step with limited benefits. But the reality is, encryption provides an added layer of security that users need. If email security is important, encryption should be used.

3. Don’t share credentials

One of the main issues facing email security is a user’s willingness to share credentials. It doesn’t make any sense. Why should a user who is trying to keep data secure and private share his or her username and password with others? Sharing credentials is a surefire way to lose sensitive data. 

4. Don’t believe phishing scams

As malicious hackers realise there is big money in scamming people through email, they will increase the number of phishing attacks they send out. And unfortunately, those attacks have a high likelihood of working. Emails from banks, credit card companies or other firms that request sensitive, personal information probably aren’t legit. Users need to always consider phishing scams and remember that, in the end, no one is entitled to that information unless it’s deemed absolutely necessary.

5. Credentialing has an expiration date

Companies should remind employees that credentialing has an expiration date. In other words, keeping the same password for an email account for six months to a year is just too long. The more often users change passwords, the greater the likelihood that they will stay a step ahead of those people who want to steal sensitive data.