Is email more secure than ESN?
Some (quite a long) time ago, Marisa Peacock wrote an article on CMS Wire about the Garner PPC session “The Social Workplace: Rethinking Communication and Collaboration in the Age of Social Networks” by Nikos Drako. Despite an otherwise interesting and great article, I got the hiccups when reading the following:
Since I wasn’t present myself at Drako’s session, I can’t tell if this the article correctly reflects what Drako actually said, or if there has been some misinterpretation along the way. Regardless, letting such a statement pass by without getting scrutinized is dangerous. By positioning e-mail as a safe and secure communication, it is implied that social networks are not. It provides fuel to people who use the security argument to keep social networking from entering the enterprise. What is worse, it doesn’t help to dispel the myth that email is a secure communication tool. There might be some truth to this argument if he would be comparing email and public social networks, but for enterprise social networks? Really? Nah, I don’t think so.
In the comparison chart that apparently originates from Drako’s presentation (see above), one of the dimensions being compared is “protection”. Protection in this context is being defined as: “certainty that only intended recipients will receive it”. From the diagram, it seems that email offers foolproof protection and that enterprise social networks offers always no protection at all. As I will show in this blog post, this gives a false picture of reality. Furthermore, protection with the definition used is not the same thing as security. Information security is about avoiding sensitive or secret information to be disclosed to a third party. Protection, as defined by Drako, has more to do with precision of the communication process. It sure has impact on security, but protection and security are not the same things. Being able to select who shall receive you information doesn’t automatically mean that the information is protected and secure.
Security is a "people problem"
First of all, we need to remind ourselves that security is ultimately about what people do with the information they have access to. We can invest large amounts in designing and building “secure” IT solutions, but that doesn’t change the fact that people will always be the weakest link in the security chain. In most cases the greatest security risks lie not in the technology itself, but rather in how we use it. If there is anything we need to improve, it is how we use communication tools such as email in a secure way, and how we design tools and services in ways that make it easy for us to do things right (for example, in a secure way). Rather than putting straightjackets on people that prevent them from getting their work done efficiently and effectively, they should be educated and trained in how they can work with information in a secure way.
The use cases for email and ESN are different
There is (or should be) a difference in the use cases for email and ESN. Although email is used for virtually any kind of communication in organizations today, including many-to-many communication. Email is best suited for sharing information that is only intended for a specific person or group of people, and for having one-to-one conversations. ESN is best suited for sharing information that can be useful for a wider audience inside your organization, and for having many-to-many conversations. With ESN, as opposed to email, you don’t have to know in advance who could potentially find the information you share relevant.
Since most ESN support not only conversations but also private group or one-to-one conversations, the remaining use case for email is actually only external one-to-one and one-to-many conversations. If all internal communication could be done over an ESN instead of email, it would reduce the likelihood of accidental information leakages.
Avoiding accidental information leakage
It is true that on an ESN you don’t always know or have control over who will read what you share. You can however often choose to restrict access to the information you share to specific groups or sub-networks, but this goes against the idea to be open by default and only protect information that really needs to be protected. There is no value in information that is not – sooner or later – being used. Information that might be of use sooner or later holds a potential value, but that value is not realized until it is actually used for something. This means that in order to maximize the value of a piece of information that is shared it should be made available to anyone who might have use for it.
Email, on the other hand, makes you think that you have control over who will read what you share since you select specific recipients. But this feeling of control is just an illusion. Email is a tool that allows you to communicate with precision, and for that it is excellent, but the information you share isn’t protected from falling into the wrong hands. One important difference between ESN and email is that only employees have access to the ESN, while an email can be sent to anyone in the world that has an email address. It is quite easy to share information in an email with a third party by mistake. All you have to do is to put the wrong email on the recipient list. A simple typo or misspelled name can do the trick. To share information that you shared on an ESN with a third party, you would have to copy the information and paste it in either in an email that you send to the third party, or post it on an external social network such as Twitter or Facebook. It would be pretty hard to do this by mistake.
When an accident happens
So, an email can easily get wings and fly away. And once you click the send button, there is no traceability in what happens after your email. Yet most of us use email to share quite sensitive stuff. With email it is virtually impossible to find out who have actually got access to your information. There is no (easy) way to tell if your message has been forwarded or included in another email exchange in which you are not a recipient. An ESN, on the other hand, collects data about who has viewed or interacted with the information you have shared. Any activity performed with it is tied to a user identity in the system.
Furthermore, the information you share via email is copied like a virus to each recipient. If your message was unintentionally sent to the wrong recipient, you have no way to revoke your message. Nor can you change it if there is something wrong with it. All you can do is hope the recipients won’t read it, or send a new email and beg them to delete the previous email. On an ESN, the information you share isn’t copied. You can revoke it by deleting it. Some ESN platforms also offer you to edit information that you already shared.
So what do you think is: does email offer much better protection than ESN? Which is most secure, email or ESN?
“…before companies can begin to find value in social networks, it’s important to look at what platforms are currently the most valued and why. It’s email, of course! Email messages are safe, secure, ubiquitous and for the most part, accurate. In contrast, messages broadcasted across social media and networks are speedy, encompass a wide audience, and can be reused and shared more easily. By determining your goals for messages and information created, it’s important to see how they align with the appropriate platform”I agree that email is ubiquitous, but “safe, secure”? No way! I shared the article on Twitter and had the following conversation with Olivier Amprimo:
- Olivier: Gartner rides on general confusion between consumer social networks and enterprise ones. ESN are closed systems by default.
- Me: surprised me as well - because it is wrong. Risk of external leakage is much higher with email due to forwarding & mistakes
- Olivier: Transparency mechanisms are the differentiators between the two that creates an illusion of control.
- Me: exactly, and internal security you can manage with policies, NDA's and awareness + training
- Olivier: Correct, but it's easier for techies to downgrade features than write a governance and policies that are understandable by all
- Me: though even techies should know about technical drawbacks of email, such as content duplication, lack of traceability, etc
- Olivier: Yup + the same technologies are now available for ESN so that helps them too (facilitate their adoption ;-))
Since I wasn’t present myself at Drako’s session, I can’t tell if this the article correctly reflects what Drako actually said, or if there has been some misinterpretation along the way. Regardless, letting such a statement pass by without getting scrutinized is dangerous. By positioning e-mail as a safe and secure communication, it is implied that social networks are not. It provides fuel to people who use the security argument to keep social networking from entering the enterprise. What is worse, it doesn’t help to dispel the myth that email is a secure communication tool. There might be some truth to this argument if he would be comparing email and public social networks, but for enterprise social networks? Really? Nah, I don’t think so.
In the comparison chart that apparently originates from Drako’s presentation (see above), one of the dimensions being compared is “protection”. Protection in this context is being defined as: “certainty that only intended recipients will receive it”. From the diagram, it seems that email offers foolproof protection and that enterprise social networks offers always no protection at all. As I will show in this blog post, this gives a false picture of reality. Furthermore, protection with the definition used is not the same thing as security. Information security is about avoiding sensitive or secret information to be disclosed to a third party. Protection, as defined by Drako, has more to do with precision of the communication process. It sure has impact on security, but protection and security are not the same things. Being able to select who shall receive you information doesn’t automatically mean that the information is protected and secure.
Security is a "people problem"
First of all, we need to remind ourselves that security is ultimately about what people do with the information they have access to. We can invest large amounts in designing and building “secure” IT solutions, but that doesn’t change the fact that people will always be the weakest link in the security chain. In most cases the greatest security risks lie not in the technology itself, but rather in how we use it. If there is anything we need to improve, it is how we use communication tools such as email in a secure way, and how we design tools and services in ways that make it easy for us to do things right (for example, in a secure way). Rather than putting straightjackets on people that prevent them from getting their work done efficiently and effectively, they should be educated and trained in how they can work with information in a secure way.
The use cases for email and ESN are different
There is (or should be) a difference in the use cases for email and ESN. Although email is used for virtually any kind of communication in organizations today, including many-to-many communication. Email is best suited for sharing information that is only intended for a specific person or group of people, and for having one-to-one conversations. ESN is best suited for sharing information that can be useful for a wider audience inside your organization, and for having many-to-many conversations. With ESN, as opposed to email, you don’t have to know in advance who could potentially find the information you share relevant.
Since most ESN support not only conversations but also private group or one-to-one conversations, the remaining use case for email is actually only external one-to-one and one-to-many conversations. If all internal communication could be done over an ESN instead of email, it would reduce the likelihood of accidental information leakages.
Avoiding accidental information leakage
It is true that on an ESN you don’t always know or have control over who will read what you share. You can however often choose to restrict access to the information you share to specific groups or sub-networks, but this goes against the idea to be open by default and only protect information that really needs to be protected. There is no value in information that is not – sooner or later – being used. Information that might be of use sooner or later holds a potential value, but that value is not realized until it is actually used for something. This means that in order to maximize the value of a piece of information that is shared it should be made available to anyone who might have use for it.
Email, on the other hand, makes you think that you have control over who will read what you share since you select specific recipients. But this feeling of control is just an illusion. Email is a tool that allows you to communicate with precision, and for that it is excellent, but the information you share isn’t protected from falling into the wrong hands. One important difference between ESN and email is that only employees have access to the ESN, while an email can be sent to anyone in the world that has an email address. It is quite easy to share information in an email with a third party by mistake. All you have to do is to put the wrong email on the recipient list. A simple typo or misspelled name can do the trick. To share information that you shared on an ESN with a third party, you would have to copy the information and paste it in either in an email that you send to the third party, or post it on an external social network such as Twitter or Facebook. It would be pretty hard to do this by mistake.
When an accident happens
So, an email can easily get wings and fly away. And once you click the send button, there is no traceability in what happens after your email. Yet most of us use email to share quite sensitive stuff. With email it is virtually impossible to find out who have actually got access to your information. There is no (easy) way to tell if your message has been forwarded or included in another email exchange in which you are not a recipient. An ESN, on the other hand, collects data about who has viewed or interacted with the information you have shared. Any activity performed with it is tied to a user identity in the system.
Furthermore, the information you share via email is copied like a virus to each recipient. If your message was unintentionally sent to the wrong recipient, you have no way to revoke your message. Nor can you change it if there is something wrong with it. All you can do is hope the recipients won’t read it, or send a new email and beg them to delete the previous email. On an ESN, the information you share isn’t copied. You can revoke it by deleting it. Some ESN platforms also offer you to edit information that you already shared.
So what do you think is: does email offer much better protection than ESN? Which is most secure, email or ESN?