Facing up to Encryption

March 20, 2008

Interception of e-mail poses a real threat to UK law firms, placing the integrity of their communications at risk, according to an industry survey. 

The survey, undertaken by Strategy One, highlights a widespread and mistaken belief that existing anti-virus and spam prevention solutions provide sufficient e-mail protection. This suggests that the possibility of interception is being overlooked by many law firms, simply because they fail to appreciate or understand the means by which e-mail can be intercepted.  While e-mail interception poses a threat to all businesses, the often sensitive nature of a law firms’ communications increases the importance of security for lawyers and their firms.

UK law firms need to be made aware of the true nature of the threat posed by e-mail interception.  The survey clearly identified a high level of confusion among law firms over the various aspects of e-mail security.  It is important to point out that this is not the fault of the legal sector, but is indicative of a general lack of awareness common to businesses of all types concerning the consequences of e-mail interception as an e-mail travels across the public internet.  The growth in e-mail use and the amount of highly confidential information that is e-mailed on a daily basis has created an unacceptably high level of risk.
Encryption of e-mail has not been widely adopted by law firms. Despite the risks to which e-mail is exposed in the course of transmission, most law firms have been content to take the risk of interception by hackers. Indeed, some firms have been heard to express the view that they hope clients do not enquire about the possibility of encryption because their firms have neither the technology nor expertise with which to introduce it!

With some justification, they point out that there is no universally applicable system that is conveniently being operated and which is commercially viable. The system of PKI (Public Key Infrastructure) whereby public and private keys (algorithms) are exchanged and applied to encrypt and decrypt e-mail is generally only commercially viable for large corporate bodies and is not practical for smaller organisations.

Survey Findings

However, there is little doubt that part of the problem does lie in the apparent failure of the profession to understand exactly what is implied by e-mail security.

The risk posed by an e-mail security breach was further highlighted by a related survey finding indicating that, although most respondents believe email is the least secure method of communication, more than half of a law firm’s daily e-mail traffic contains confidential information.  Interestingly, 82% of respondents were aware that external e-mails pass through many places before reaching the intended recipient.
The survey sample comprised 201 partners and non-partners of law firms across the UK. The research indicates that, despite the recommendations contained in the e-mail security guidelines issued by the Law Society, fewer than 10% of UK law firms encrypt e-mail.
Key findings included:
• on average, more than half the e-mails sent by law firms contain confidential information
• e-mail is considered the second least confidential way of communicating information
• almost half the firms  surveyed thought that their existing software covered confidentiality, although on further questioning it emerged that well over 90% of these were mistaken in their belief – 20% did not know whether their software covered email confidentiality.
Encryption is now high on the agenda of most corporate bodies in the commercial sector, not least because of the need for a system of corporate governance within organisations. More specifically, there is now a more widespread awareness of the provisions of the Data Protection Act 1998 and, particularly, of the fact that one of the eight principles requires data to be held securely.

This is not confined to data stored on the systems of organisations. It includes any confidential data either stored or passing through a system. Therefore it catches confidential data contained in e-mail and any attachments.

Emerging Solutions

Some solutions are now emerging, but until the tipping point is reached whereby a preponderance of organisations are using the software, there will always be a large number of organisations who are outside the encryption ‘loop’.

One solution that has been around for some years is offered by PGP (Pretty Good Privacy – www.pgp.com)
PGP Universal Gateway Email provides centrally managed, standards-based e-mail encryption, in which e-mail is secured as it enters and leaves the enterprise’s network. It also includes e-mail polices for recipients without the need for special training or software.

Another solution has recently been developed for professional services firms, particularly for law firms, by UK e-mail security solution provider, Securecoms (www.securecoms.com). Secure-mail provides a hub, which is placed between the customer’s email server and the internet gateway which automatically and seamlessly encrypts emails between the user and other Secure-mail users. Secure-mail:lite is for those without the Secure-mail hub (ie most private clients).  A Securecoms user can invite them to download an application that enables them to encrypt and decrypt e-mail communications between themselves and the Securecoms user.

A third solution is offered by US-based Entrust (www.entrust.com). Entrust Entelligence Messaging Server is an appliance-based e-mail encryption gateway that communicates securely with external partners and customers. Offering standards-based S/MIME, Open PGP, and web-based encryption options for secure message delivery from Microsoft Exchange and Lotus Domino environments, the server can be used to reduce the time, cost and risk of conducting a wide range of tasks electronically.


A brief examination of any electronic file will reveal that, often without appreciating it, a good deal of sensitive information is conveyed and transmitted without any form of encoding that will protect it from interference by a third party. This is the equivalent of sending clients’ communications on a postcard or in a letter placed inside an unsealed envelope – or even without an envelope!

This will surely not be acceptable to the new breed of legal services providers waiting in the wings for the Legal Services Act 2007 to take effect.

Rupert Kendrick is a solicitor and director of Web4Law Ltd., a risk management consultancy, and he specialises in IT and Internet risk issues. He can be contacted by e-mail at Rupert@web4law.biz or visit www.web4law.biz. This contribution is drawn from an article by the author that first appeared in Property in Practice, Winter 2007