Email is NOT Secure for Client Data – The Smarter Way for Accountants & Lawyers to Share Files

According to Americas Cyber Defense Agency (CISA.gov) More than 90% of cyber-attacks start with an email. 

https://www.cisa.gov/shields-guidance-families

Why email is not secure for lawyers and accountants 

If you work in the professional services industry, particularly finance, property or law, you are extremely vulnerable because you handle lots of personal data and financial data.

https://www.dbllawyers.com/understanding-cybersecurity-risks-in-real-estate/ 

Do you have confidential client information in your inbox or messaging systems?  If you do, you need to read on. 

This article will give you guidance on how to mitigate your risk and improve your client's experience with you and your organization.

You have just finished a meeting with a prospective client.  To onboard them onto your systems, you need to get more information from them. The information you need is sensitive, personal data. You are mindful of GDPR but you only have a few mechanisms available. 

https://gdpr-info.eu/ 

You proceed to open your email and begin to type a message to the prospective client to ask for their information.  Something stops you.  You are aware that email is an incredibly insecure way of sending data.

As a professional services company you deal with sensitive client data regularly.  Should all this client data be in your inbox and sent items?  In fact, should client data be anywhere except your approved system of record with appropriate client consent as detailed in your privacy policy?   

Email is a highly vulnerable mechanism for requesting client information. Email is not secure.    

Why is email NOT secure for file transfers and requests? 

• Email can be intercepted

• No end-to-end encryption

• Files are often stored on multiple servers  

The risks of sending files by email:

• Data breaches, hackers can intercept emails in transit.   

• Phishing attacks.  Fake emails try to trick professionals into sharing client data and information.   

• Lack of compliance.  Email alone doesn’t meet GDPR or SRA standards.   

So, what do you do? 

• Email?  Risky and not secure.   

• WhatsApp?  Unprofessional and against company policy.   

• Text Message?  Not secure and unprofessional.   

• Teams?  The client doesn’t have an account and Teams is locked down.  

• Approved company portal?  Impossible to use and frustrates my client as they must create an account with the cloud provider.  Also, it is still not secure as the cloud provider has access to my client's data as their servers hold the public and private encryption keys.  Can I really trust them?  What if they are breached?   

• File Transfer website?  Not secure and easily intercepted, also looks unprofessional.

How to send sensitive client files securely   

At Key and Box we believe there is a safe way to send client files, hence why we created our service. We identified three clear pain points:  

1. Sending files by email isn’t secure.  Emails are regularly intercepted, and mailboxes are often compromised.   

2. Inboxes and Messaging services are not file storage facilities.  We strongly believe Inboxes are dirty and 90% of the clients we speak to hold sensitive client information in their communication platforms for more than 30 days.   

3. Existing solutions like secure vaults and client file sharing sites are difficult to operate and staff and clients often bypass the process in favour of speed.  

4. Encrypted email is a flawed system and doesn’t do what it claims to do.  End to end encryption is not universal, Metadata is exposed and key management is complex.  https://www.virtru.com/blog/email-encryption 

5. File transfer websites are as vulnerable as an email.

Key Risks of Using File Transfer Websites for Sensitive Files 

• No End-to-End Encryption → Files are encrypted on the providers servers but not during the entire transfer process. 

• Data Stored on the providers Servers → Once uploaded, the provider has access to the files (unlike zero-knowledge providers). 

• No Strong Authentication & Access Controls → Anyone with the link can access the files, making it vulnerable to accidental sharing or phishing attacks.

•  Privacy Concerns → In 2020, A large file transfer provider, WeTransfer was banned in India due to security concerns.  https://www.hindustantimes.com/india-news/wetransfer-banned-in-public-interest-official/story-hEsox3j5eHscd7LHLB3PVP.html.com