I do a lot of work in industries where there is a tremendous amount of proprietary and confidential information passed around in mountains of documents. It is the type of information that might help a competitor tremendously to shorten their development and cycle times considerably.

So, you’d think that these companies would be among the first to use encrypted electronic communications, but you’d be wrong. Until last week, I had not received an encrypted document from a single client or ever been asked about encrypting the data that they provided to me on my business computers (I do anyway). I have been in places where the companies have been extremely careful about controlling their paper documentation, but seemingly oblivious to the risks of sending those very same documents out in e-mails without any encryption or password protection.

So I must say that I was delighted to receive an e-mail from a contractor who had actually encrypted and password-protected the document attached to it. They even knew that they shouldn’t send the password and the document together in the same e-mail. That’s progress!

The lack of using even the most basic document protection when sending sensitive documents by e-mail is a fundamental security risk to these companies. Perhaps the reasons that they don’t do it are because of the effort that would be required by the IT department to develop and enforce a policy around securing documents sent by e-mail, the belief that a security breach due to interception of a proprietary document “won’t happen to them,” and the inconvenience of applying the security layer to each e-mail.

I wonder if they have ever done a cost risk analysis for implementing such a procedure. It would be an interesting analysis to perform because the cost of implementing a secure e-mail documentation system would have both fixed and variable costs associated with it. Fixed costs would include items such as developing the systems, purchasing the software, training, implementation, and monitoring. Variable costs would include the time required to secure each individual e-mail that is sent or secure only certain high-value e-mails.

They could justify the fixed cost based on a risk analysis. For example, if a security breach could $500 million and the annual risk of that breach was one-half of one percent then the expected annual loss is ($500 million)*(0.005) or $2.5 million. If implementing a security system costs less than that, it is a no-brainer to do it.

As an aside, I wonder how many people really think that those long wordy legal statements that are often attached to corporate e-mails claiming confidentiality are adding any security.