Combating threats to e-mail

Following these 10 tips will help law firms
establish a highly secure e-mail capability
and provide some peace of mind


Last month we discussed the five major security threats related to electronic mail: interception, forgery, viruses, discovery and human error. This month we present 10 specific recommendations for combating those threats.

1. Use ViaCrypt PGP (Phoenix -- 602/944-0773, to encrypt documents attached to e-mail messages. The software is inexpensive, easy to use and effectively unbreakable, making it the best way to protect against interception and forgery.

2. If you do not have PGP and you need a stopgap measure, compress documents to the ZIP format (free software is available from many sources, including CompuServe forums) with password protection. The recipient will need ZIP decompression software, and you will need to tell the recipient which password you used. Passwords can be broken by sophisticated hackers but are good enough to defeat casual snooping.

3. To the extent possible, put security features right in your e-mail software rather than in a separate program. Users will take greatest advantage of security features that are quickly and easily found. For example, associating PGP encryption keys (character strings) with names in an e-mail address book would streamline use of encryption.

4. Protect both servers and workstations against viruses. Too many firms implement only partial virus protection. For complete protection, every computer on the network must run anti-virus software.

5. If you have a full-time Internet connection, implement and test an Internet firewall. A firewall is a combination of hardware and software that keeps unauthorized Internet users away from a firm's internal network. Every firewall should be tested to close holes a hacker might exploit.

6. Check network error logs. Most network services record online activities and problems. Careful, consistent examination of the logs may give you advance warning of security breaches before they get out of hand.

7. Document and distribute your firm's e-mail policies. Put personnel on notice regarding expectations in such areas as personal use, client use and firm monitoring of messages for security or other purposes.

8. Purge old e-mail messages. Because e-mail often is treated casually, users sometimes put in e-mail messages inappropriate statements that they never would put in a letter or memo. To prevent future embarrassment, delete e-mail messages from your network and back-up tapes after a certain period of time (e.g., six months or one year). Users will have plenty of time to copy important information elsewhere (e.g., to a document management system) before messages are deleted.

9. Provide thorough initial training and frequent updates. Good up-front and ongoing training, accompanied by top-notch documentation and user support, will minimize security breaches due to human error.

10. Make security part of your overall information management plan. Too many firms treat security as a technical afterthought. It is far more effective to address security when you initially think about who needs what information for which purposes.

Any firm that follows all these tips will go a long way toward establishing a highly secure e-mail capability.

Dana H. Shultz, an Oakland-based lawyer, may be reached by e-mail at and on the World Wide Web at