📬 Avoid encouraging clients to email their documents-have a safe messaging app ready to receive
Common email isn't considered secure
The CRA doesn't email your T1 after you file annual taxes; instead it asks you to download it directly from their portal. Your bank doesn't send your monthly account statement in an email-it does, you say? Find a new bank asap. The information in these documents could be very damaging if the system handling them lost control.
Encouraging clients (especially one-off clients) to use email when transferring sensitive information creates significant avoidable risk. Your clients could lose control of information that could harm themselves or your business. If you’re a medical professional, journalist, lawyer, or even a politician, there are many reasons why you would want to protect your, or your clients’, information.
When you email a client your bank transfer details so they can transfer payment, that information can sit in their inbox long past the time necessary. If email accounts are compromised months or years later, your business is exposed to risk. Operating in this way makes it so that every year you're in business, you accumulate a backlog of risk, like a snowball growing larger as it rolls downhill.
The current state of business and personal cyber security (1) suggests taking active precautions to protect yourself and your operations. Stolen data could be used to impersonate a person, then take control of their accounts. For those with access to business accounts, the potential damage is magnified.
So what do you do instead?
Use Signal, a tool which you can get for your phone and computer, to send and receive messages and documents.
Signal (Product Profile: Signal) is a tool that is trusted to protect the contents of what we send using it. Unlike email, Signal-exchanged messages and files cannot be accessed by a person who has managed to steal login credentials. Signal messages only get delivered to our phone or linked computer. Our devices would need to be physically stolen for threat actors (Glossary: threat actor) to get those messages.
Manil
Cyber theft tends to be opportunistic; passwords get stolen (Glossary: phished) in bulk online, then used to access accounts. Targeting a business for physical theft to access their online accounts is costly enough that threat actors mostly prefer easier and cheaper paths to success.
If you're already using another messenger like iMessage, that tool likely does not meet the criteria for secure document exchange. Signal is end-to-end encrypted, which means that nobody but you and the person you're messaging can read what you're sending each other. This is not the case for all tools and messengers.
Temporary exchange
We can also make sensitive information delete itself when sent by Signal. We can set an expiry before sending transfer details to a one-off client. The message and attached files delete themselves when they no longer need access to that information.
Think of it like sweeping up the breadcrumbs to protect your business from threat actors who are on the lookout for trails to low-hanging money.
Using Signal for your business?
When you are using Signal for your business, go ahead and copy the following text to your MAP. Remove mention of the fictional Treehouse B&B business, and use your own wherever appropriate.
Copy content from this dropdown
Treehouse B&B is using Signal messenger to ensure our business communications are safe, reliable, and confidential. Using Signal messenger for business communication allows us to meet our privacy commitments to you.
Next steps
Use our instructions to quickly get started with Signal. Then set up Signal on your desktop device to send and receive files safely.
