In a business context, electronic communications like email and file transfer are, of course, the principal bugbear. Given the increasing prevalence of image, music and video files in both our work and home lives, the increasing trend in file attachment “traffic” is hardly a surprise. According to research from the Radicati Group, in 2009 enterprise users sent and received, on average, 37 attached files per day. In 2013, this figure will rise to 53 attachments sent or received.
The fear is real
Should you be worried about any of this? The short answer is “No, you should be terrified.” Not because there are more emails and file attachments being sent now than there were before. But because, somewhere between the rush from the Minitel to the Internet, someone forgot to make it straightforward, feasible and practical for businesses (and particularly SMEs) to encrypt the content of the messages and files they send and receive, so that they are safe from prying eyes.
Files are a particular worry. If you move and store them using online file transfer and storage services, for example, (which is exactly what frustrated employees do when the files they want to send are too big for email), the providers of those services can see, understand and monetise the content within them. In essence, they know what’s in your photos and your documents. As a businessman myself, but also as a private person with individual liberties, I am fundamentally very uncomfortable with that.
In short, it’s an even bet that your business is currently sending messages and files, containing the most sensitive commercial information and intellectual property, as well as the most private personal material, in ways that are potentially open to interception by every spy, snooper, hacker, competitor, whistleblower and jealous ex-employee you care (not) to think about.
Like I said, communication can kill your business, but make no mistake, it can seriously upset your private life too.
The bulletproof message
I’m something of an Anglophile but deep down I still preserve the American instinct for simplicity. So, in my view, protecting stuff that you send over the Internet, so that it stays private, should be no more difficult from the user’s point of view than hitting a button that wraps the darned things in Kevlar and sends them on their way! It should not entail complex use of “S/MIME protocols.” It should not rely on SSL (which is not secure once the information is in the Cloud anyway!).
Hell, it shouldn’t even require you to remember a username and password. You’re running a business here, not a masterclass on PKI security infrastructure (whether you know what that is or not – and why should you?)
PrivateSky – what it is, and why
It was this conviction, after many years working in the “traditional” Internet security industry and realising how unsuitable its SME offerings were, that led me to develop the PrivateSky service.
I wanted to create a simple, one-stop service, delivered via the Cloud, that would enable everyone (individuals, SMEs, enterprises, government departments, regulated industries….) to simply go to a web portal, log in using a four-digit PIN, and then start to send and receive encrypted, completely secure messages and files.
No software licences needed. No additional hardware required. No training, maintenance or deployment. Not even a username and password to remember. Just hit the button and the message and/or file goes securely on its merry way, to any recipient you choose, whether you know them or not. Combine it with Microsoft Outlook and you can even send secure files up to a mighty 5Gb!
That simple? And no-one’s done it before?
In a word, no. It simply hasn’t been possible before, because of the very complex infrastructure that has traditionally underpinned commercial security applications. Recipients had to be pre-known and pre-enrolled (a real pain if you just want to send the latest project update to a new colleague, for example).
Also, the security depended on digital certificates, which go out of date and have to be manually managed, which, in turn, costs time and money. And it was very much “on prem” – requiring expensive servers and employee expertise that most small businesses simply couldn’t afford.
Most ironic of all, in this model, the keys that control the encryption are held by none other than the security vendor. So they could decrypt whatever you encrypted, and read the content of your communications. Nice touch.
But PrivateSky can read my stuff too, surely?
Forgive my transatlantic candour here, but that’s a big, fat, NO. Now, I could get all mathematical and cryptographic on you, but you’ve got a business to run, so I’m just going to give it to you straight:
1. PrivateSky doesn’t store encryption keys. We make the key to open the box, but the act of opening the box vaporises the key. Neat.
2. The “cryptographic secrets” that are at the heart of the privacy process are split across several different servers, so they can’t be reconstructed
3. The encryption key calculations work in one direction, but not in the other, so they can’t be reverse-engineered. (Yep, that’s right, all that stuff you learnt at school about 2 x 3 = 3 x 2; forget it. When you’re dealing with prime numbers several hundred digits long, weirdness happens.)
What this means is that only the sender and recipient can ever read the messages and files that are sent in PrivateSky. I daresay I could get (legitimately) very rich by understanding more about your data, but it’s never going to happen. Not while you’re using PrivateSky, anyway!
Smash and Grab!
Sadly, messages and files are not the only parts of your business communications that are vulnerable to compromise. Websites have proven a red rag to bullish hackers, too.
The challenge here is, again, around the limited resources that small businesses can ultimately draw on when it comes to managing technology. As a small business, you can outsource web design and maintenance to web and software developers, or you can use in-house people if you have them.
What you will struggle to find – and to pay for – is genuine, cryptographic security expertise. This stuff doesn’t come cheap, and it is extremely high-risk; as they say on the TV, “Don’t try it at home!” Result: millions of small business websites have inherent security flaws, just one example of which is the username/password vulnerability that has led to millions of user logins being stolen worldwide over the past several months in so-called “smash and grab” attacks.
It was this need that led me to “break out” two of the underlying technologies in PrivateSky and make them both separately available as services to developers. This means that they can easily drop them into place in their existing website projects. SkyKey provides the encryption key management that is at the heart of secure data transfer, and SkyPin provides two-factor PIN authentication, which, among other things, renders usernames and passwords (and therefore the “smash and grab” attacks) a thing of the past!
So, communication can indeed kill your business. But then so can failure to move with the times. As your messaging, file transfer and web presence move cloudward, so the resources that secure them must reach for the Sky too.