Low-cost encryption solutions make email security simple and automatic

By Ken Norkin

No community bank would mail a customer’s monthly statement—account numbers, balances and all—on the back of a postcard. Yet, as of the 2010 ICBA Technology Survey, some 40 percent of community banks were still communicating with their customers by unprotected, unencrypted, “clear text” email, as easily readable as a postcard by anyone who manages to intercept it.

“Clear text email really has fairly limited utility in the financial services industry,” says Mike Osterman, principal of Osterman Research in Black Diamond, Wash. “You absolutely have to keep sensitive data private because of regulatory requirements,” or risk significant penalties.

Not only that, but community banks that don’t secure their email could be missing an opportunity to deliver a level of service their customers may want. According to a June 2011 survey by Osterman Research, 78 percent of bank customers would like to communicate with their financial institutions by secure email, but only 56 percent can do so. Osterman also found that 15 percent of customers would probably or definitely switch banks to get that capability, while 32 percent would consider it.

Fortunately, low-cost, subscription-based software-as-a-service offerings are available today that can automatically encrypt email, both to and from bank customers, so that it is readable only by the recipient.

Solutions from providers such as DataMotion of Morristown, N.J.; Perimeter E-Security of Milford, Conn.; and others integrate easily with existing email systems—both those operated by banks in-house or hosted by their ISP. Once the technology is in place and the bank has set its security rules and preferences, encryption of outgoing email happens automatically, with little or no employee effort. Bank employees can direct their email through the encryption server by simply using a specified keyword in the email subject line, such as the word “SECURE” or even a single character. Or the encryption engine can be told to identify emails that should be encrypted by recognizing sensitive content, such as actual account numbers; the format of account numbers; or words in the message such as “balance,” “loan” or “payment.”

According to DataMotion’s chief technology officer, Bob Janacek, that company’s product even adds a “Send Secure” button to Microsoft Outlook, making the secure choice as easy as possible.

What type of message reaches the recipient depends on which of two primary encryption approaches the organization has implemented. In push encryption, the entire email message is encrypted, sent as an attachment to another message and then unlocked by the recipient using software that contains the appropriate key or, in some cases, by entering a password they chose when enrolling in the bank’s secure email process. With pull encryption, the recipient receives an email notifying them that a message is waiting in their secure mailbox at the sender’s site. Clicking on a link in the notification “pulls” the customer to the site, where he or she logs in to an account and retrieves the message.

Organizations wanting to communicate securely with customers are more likely to choose pull encryption, says Perimeter E-Security Chief Technology Officer Andrew Jaquith, in part because it eliminates push encryption’s need for certain software on the user’s computer and the secure exchange of keys before encrypted messages can be decoded.

Pull encryption also simplifies secure communication from the customer back to the bank, since messages can be composed, encrypted and delivered to specific employees or departments while the customer is logged into the messaging section of the bank’s website. DataMotion has also made encryption accessible within the email software of iPhone, Android and other mobile devices.

Of course, increased security comes with a cost, but the good news for community banks is that the cost is low for the value received.

Jaquith says the Perimeter E-Security solution typically costs anywhere from $1 to $2 per employee per month to encrypt any number of messages to any number of customers. DataMotion’s system can cost up to $99 per year for a single employee, with “significant volume discounts” available, says Janacek. To encrypt system-generated email from addresses such as “ This e-mail address is being protected from spambots. You need JavaScript enabled to view it ” a bank could buy blocks of service at a cost of pennies per message.

But, suggest Osterman and the vendors, cost shouldn’t be the prime consideration in how or whether banks assure the integrity of their customer’s financial communications. “More than other service providers they deal with on a regular basis, their bank is who they most want to communicate with securely,” says Osterman. “Secure email with a bank creates more stickiness: It would make customers more likely to do business with that bank and it would address the serious disconnect between what customers want to do and what they can do.”

As Jaquith sums up: “Customers tend to respond favorably when banks appear to be doing something that it is in the customer’s security interests.”

Kenneth Norkin is a technology writer in Takoma Park, Md.