Is sensitive information sent as an email with a .pdf attachment safe for the sender?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
First, just to be clear, you can't get infected by a virus or malware just by sending an email or an email with a .pdf attachment, but I don't think that's what you're asking here. Sending sensitive information in an email or as an attachment is unsafe, and depending on your organization's security policies, could land you in a lot of trouble. Let's have a look at why.
Sending an email is like sending a postcard: everyone or every system that handles it can see and record what you've written. This is not a problem obviously if the contents are nothing of interest or importance. It is a big problem, however, if the contents include banking details, network passwords or other types of sensitive data; defamatory remarks are a definite no-no too. If you send an email that contains data or content that your firm's acceptable usage or security policy expressly forbids to be sent via email, then you could find yourself in trouble. Most security-aware organizations will have polices and guidelines that cover the transmission of sensitive data: what data can be sent via email, what must be encrypted, etc. You should check with your IT department as to how you should send information of differing levels of sensitivity in order not to fall foul of these policies.
Merely putting sensitive information into a .pdf file instead of the body of the email won't protect it either unless you use one of Adobe's encryption options. A digital ID is required to sign documents and apply certificate security. Adobe Acrobat allows for the creation of self-signed digital IDs, which should be sufficient for many situations.
The most secure way to send messages and attachments is to encrypt them before they are sent. In addition to protecting the attachment while in transit, file encryption also provides protection to the file while it is stored on a PC, any mail servers it passes through, and finally when it arrives at the recipient's machine. Before making a .pdf available to others, consider removing content that reveals the document history or that contains personal information, such as metadata that lists your name as the author.
I would also recommend that you sign any important messages as well as encrypt them so people can be confident the email originated from you. If the person to whom you send an email also has a digital certificate, you can sign and encrypt the message to ensure that it cannot be altered or read by anyone other than the intended recipient. As a matter of good practice, I would always write an email like it was a postcard, not a letter, and add a salutation and data and time in the body of your emails to ensure the context of the message is clear. Your email or attachment could be intentionally or unintentionally forwarded to and viewed by many, many other people. Even if you have encrypted the contents of the email or your .pdf document properties prevent printing or copying, there is nothing to stop the recipient from photographing the contents while they're displayed on their screen.
There have been quite a few security bugs found in .pdf documents recently, so if you exchange .pdf documents, ensure your computer is kept up to date with the latest patches. Antivirus and antispyware should be installed, updated and running, and always scan emails and documents before opening them.
Get tips for improving enterprise email security
Take this quiz to see if you know your email security basics
Learn more about email security and compliance best practices
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Michael Cobb, Application Security asks:
What steps has your enterprise taken to ensure email attachment security?
0 ResponsesJoin the Discussion
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.