View more on these topics

Firms hit out at Sesame move to encrypt emails

Sesame members have hit out at the network over plans to force advisers to encrypt emails containing confidential information, meaning that clients will have to download software in order to open correspondence.

Sesame has notified its member firms that all emails containing confidential information must be encrypted and has chosen Origo Unipass Securemail as the preferred software.

From January 1, 2010, all emails sent between Sesame and its members must be encrypted, emails to clients containing confidential information must be encrypted by March 1. All confidential emails to companies must be encrypted by June 1.

Sesame Adviser Forum has been swamped with complaints from IFAs, who say that they and their clients are having trouble downloading and using the software. They say technical support from Sesame is limited.

Advisers say some clients are requesting that emails are not encrypted because they do not want to download the software, but Sesame says this is not an option.

H.R. Independent Financial Services director Tim Harvey says the technology is difficult to install and has not been properly tested.

He says: “The technology is flakey at best and the support from Sesame is poor. I contacted Sesame for help and they referred me to Origo. I have the feeling that we are guinea pigs and the technology has not been properly tested. I have a lot of time for Sesame and they do a lot of good work but I’m very disappointed that they have gone for this without thinking it through and properly testing the system.”

Liberty Bishop Financial Services independent financial adviser Edward Thomson says the program causes Microsoft Word 2007 software to crash and creates problems accessing the secure emails externally.

He says: “When you call Sesame for help they seem to make out as though you are the only IFA having problems, but that’s clearly not the case. Anything to do with IT and Sesame seems to fall down at the first hurdle.”

Other advisers on the forum argue that it is unnecessary to encrypt emails being sent to an account that is already password-protected, when faxes and postal services cannot be secured.

One adviser, who does not want to be named, says: “The feedback we are getting from clients is that they do not want us to encrypt their emails but Sesame will not allow them to opt out. Any confidential information will have to be faxed or posted to them, which seems silly because they are much less secure.”

A Sesame spokesman says data security is a “huge social and regulatory issue” that the industry needs to help tackle.

He says: “The majority of members have successfully installed the free software, but we are sorry if anyone is having difficulties and we will do everything we can to help because it is in everyone’s interests to get this right.”

Newsletter

News and expert analysis straight to your inbox

Sign up

Comments

There are 48 comments at the moment, we would love to hear your opinion too.

  1. Does this mean Sesame IFAs have been sending personal information around using plain unencrypted emails until now? If so, that’s absolutely scandalous!

    The Information Commissioner should be down on them like a ton of bricks, if this report is true.

  2. When you sat advisers ‘Hit out’ I think you mean a couple of out-of-date close-to-retirement old-school IFAs who know nothing about the security risks of email had a little grumble.

    This is an excellent move by Sesame. All firms should be doing this – what could be fairer to customers than protecting their private information?

    Stop winging.

  3. Protecting client information is vital, and we must do all we can to meet the requirement. No one likes change, and this is just another example of people complaining because of change.

  4. It seems Sesame have closed their ears to all reasonable argument. There advisers will go to other networks like Tenet who are pro advisers and want to help us do our business.

  5. I agree with Edward Thompson, I have been made to feel that I am the only one unable to use this system. It has messed up so much of our IT and it has cost us a fortune with our IT support.

    In addition, I have clients who do most of their business on Blackberry/HTC phones – the system does not work on these!!! These clients have specifically and categorically told me that they WILL NOT use encrypted emails!

    When I asked Sesame about this I was told that I had no choice, my clients could not opt out and if they wouldnt use it then I had to post information to them.

    The whole reason clients use Blackberry/HTC is because they are travelling/away from their offices – how exactly do I post something to a client who is travelling from place to place on business without jeopardising their applications?

    I have pointed out that to force clients to use this technology is in breach of all TCF principles – it is a bit like saying to a Jewish person that all documents have to be wrapped in bacon, like it or not!

    Sesame is a fantastic organisation and in general I cannot praise them enough – however, on this one I am extremely annoyed.

  6. We have removed the encryption software as it disrupted the 1st Software back office system that we run. Sesame has been no help whatsoever and continues to send encrypted email, containing such sensitive information as advertisement wordings – surely the point of these is that they will be seen, anyone wanting to intercept these is welcome.
    This has been a poorly thought out and executed attempt to be “holier than thou”, something that Sesame is very good at.

  7. At last someone has woken up to the fact that Security might be an issue.

    Email Encryption has been easy to do for a long while and has been built into all Microsoft and other software for a long while.

    The whole area of Data Protection is not taken that seriously by many in the financial services sector, and that is why as IFA’s we formed our own Tech Firm to work with and advise other IFA’s.

    Well done Sesame, however you could have made it a lot simpler and of course sooner.

    Richard Smith IFA and Tech Consultant.

    http://www.theinternetconsultancy.com

  8. How scandalous! Sesame members are still sending out unencrypted emails. I’m not a fan of Sesame but in this case they are absolutely right. Come on Sesame members get into the 21st Century and recognise the security risks.

  9. I am a Sesame Network Member … Whats the problem? Get on with it? or is this just a smear campaign talking nonsense hardly breaking news mortgage strategy come on!

  10. I sent a reply to an encrypted email back to Sesame and it bounced back saying they couldn’t read it!

    Surely a secure message system is a better route? Messages to and from Sesame can be facilitated via their website and we can continue with our current protocol which is to message clients securely via our website. It also has the added benefit of getting clients to use the site more often.

    I agree the current system is cumbersome and ill-conceived and as such is less likely to be used as consistently as Sesame would like.

    All-in-all an own goal I’m afraid

  11. Whenever I hear of Sesame and a new IT system it makes me smile. Sesame office was the worst bit of kit I’ve ever seen. As there were other good offerings around at the time that Sesame could have white labelled then it was just hubris which kept SO going for so long.

    Can they get this right? Don’t hold your breath!

  12. Whilst I agree with all the comments about data security the technology is at question here, and the support for it’s use. Origo themselves have had issues trying to use and install this software. The problem will come when you have another trading partner who uses a different security system and find that they don;t work together!

  13. @Debbie Boyes – the fact that you have clients that don’t want to protect their confidential information is, I’m afraid, irrelevant. I’d rather not bother having to remember my PIN but for some reason my bank does insist I use it at the ATM. Yes it’s inconvenient but it is for my own good.

  14. Damed if you do and damned if you don’t !

  15. It sounds as though Sesame is trying to do the right thing but has chosen the wrong software and failed to provide its members with anything like adequate support to resolve the assorted problems that have manifested themselves. Thank goodness we never had any involvement with Sesame.

  16. The move to encrypted email for confidential data is not just wise, but fast becoming a regulatory requirement.

    There is clearly a basic lack of understanding in this, technology thread-bare industry. This is proved when
    “Other advisers on the forum argue that it is unnecessary to encrypt emails being sent to an account that is already password-protected”.

    The fact that email correspondence has a password at both ends does not stop the message from being read in-between by mail administrators. Terrestrial mail has a locked mailbox at each end but that doesn’t stop postal workers from opening it and having a look.

    Good work Sesame, we commend you.

  17. I’m sorry, but I couldn’t help reading this and then thinking of the granny in Catherine Tate!
    Presumably, sesame brought this in because not enough of their advisers were serious about security! Serves them right!
    As for “how do I update someone who travels from place to place?” Use a secure carrier, or password protect an attachment. This really isn’t that difficult.
    What would these people prefer? A fine????

  18. They are just following the EU directive on Data Protection. As we are unfortunately part of Europe these are rules that have to be followed.

    Many companies have been breaching these rules, but more and more companies are moving to use encryption, and annoying though it is, it is a sign of the times. And much better than a fine for breaching data protection laws!

  19. Yet another example of pointless form ticking.

    Yes, in theory emails can be hacked into, but overall as a medium, ordinary email is much more secure than the postal service where any one of thousands of postal workers, even the Christmas temps, can pick up any item of post and open it (or even steal it). That’s why this sort of thing annoys me.

    Sesame clearly haven’t thought things through.

  20. @Adam Bell – sorry but you’re wrong. This is not box ticking but the correct approach to a very real danger. Unencrypted email is massively vulnerable.

    Please feel free to send me your bank account number, sort code, name and address by plain text email if you’re so confident in it.

    I am worried by the blatant disregard for information security being shown on this thread.

  21. Most people use webmail, you have to use a password to access your account. What sort of personal information do people send by email? Bank account or credit card access information? Email is more secure than the envelope which delivers your new card through the letter box isn’t it?

    Last week there was a major card fraud involving thousands of people, the data was hacked from a large database over a year ago but nobody thought to cancel their cards because the owner of the server didn’t tell the whole truth.

    Electronic data is an area of risk the regulators are only now waking up to, how secure are your own computer systems? How secure is your Blackberry? How secure is anything?

  22. We are always being told that emails are not safe, that they are not encrypted and that anyone can hack into them, but who actually manages to hack into them? Don’t servers have security anyway? I agree with Adam as well that post is hardly secure, anyone could intercept it. But blaming Sesame is hardly fair, we have had to endure providers encrypting/using secure email systems that are fiddly for months now. It’s becoming more commonplace and its due to EU regulations.

    And as we know EU regulations are not always for the best in my opinion!

  23. Mark - Sesame Member 11th December 2009 at 12:15 pm

    I’d be amazed if there are many people that are really having much trouble with this software – it’s so easy to install and use – I’ve never had an issue with it.

    Clients don’t mind – why would they? Are they really going to complain that we are taking the issue of data protection/client confidentiality seriously.

    I have a few clients that use Blackberrys and they can just read the emails when they get back to the office or home – no big deal.

    Agreed, emails are less likely to be read than post anyway, but in this environment when every organisation is under scrutiny if they lose any client information (and rightly so) why take the risk.

    Not having had any problems with the software I haven’t had to call Sesame for support, but I wouldn’t be suprised if they didn’t have the answers – they have provided us with a link to get this free software. Maybe those with any issues should contact Trend Micro – the software developers. Sesame provide me with free Trigold software, but I don’t phone Sesame if I have any issues with that!!

    All in all, I think Sesame have got this spot on, perhaps it should have been looked at many months, or even a few years, ago, but I do wonder how many of the other networks or DA frims have addressed this issue?

  24. There is a better way…

    The IFA sends an email to the client saying there is a secure message waiting for them at the IFA’s website. The client then logs into the secure message area on the IFA website and reads his or her message. No software required! It only needs the client to register successfully with the IFA website.

    Oh, and for the IFA to have a secure message area built into his website. Now, that’s where Sesame should be concentrating!

  25. I think we should close for christmas while this is all sorted out !!!! ::>)))), lifes too short to bitch about all this, lets crack on !!

  26. The objection seems to be that clients don’t like these encrypted emails and who can blame them. If clients don’t want them, then under TCF any IFA sending an email in this manor is in breech if TCF.
    Technology it’s not the solution, it’s the problem. Why are some IFAs network members?

  27. @michael brayne – you simply cannot use TCF as an argument here – and I’m amazed you’re trying to do so. Data security is not optional – it’s mandatory. I’m sure the FSA would not consider it fair treatment if a firm failed to protect its client’s data. Wouldn’t you?

    TCF is not just ‘doing everything the client wants’. You do know that, don’t you?

    Once again, I’m amazed at the level of ignorance some IFAs appear to have in these matters.

  28. Encryption of confidential info is one thing, but encyrcpting all emails to clients is excessive.
    Well done Sesame for highlighting this to it’s members, but ultimately, to be TCF, clients need to be given the option of receiving unencrypted if they prefer, especially if it means downloading software to their own PC.
    Common Sense needs to be applied with every kind of security, but we must not let security rule our lives otherwise our lives become all about security (much as the War on Terror has distorted our once liberal attitudes in the UK).
    I lived in Deal in the 1980’s and was in the TA then and regularly had meals at the Marine Barracks which were blown up by PIRA. I regulalry checked my car for explosives underneath, but that would not have saved me if the bomb had been in the building. Ironically we had armed guards on our TA barracks gates, but only at weekends and Tuesday nights so we would have been an easier target, especially as the rules of engagement meant that even IF the IRA had chosen a weekend, the armed guards did NOT have the ammunition, the duty Sargeant/Corporal did who did NOT have a weapon. My point is that man hours were wasted due to security practices nationaly which were purely a political sop and all that happened was PIRA chose an even easier target.
    Sesame’s measures may result in targeting of dfferent IFA practices emails, but if they loose clients who insisit on having emails encrypted or not. the cost can outweigh the benefit of making encyyption mandatory whetehr the client wants it or not.

  29. @Dermot Brannigan

    Many sesame members have used password protected attachements but with this new system are not allowed it is their system or no system which is the problem not the idea of encryption.

    You try emailing a client a t work and him having to install software to read it, it just wont work his own it department wont let him.

    My old system was password protected PDF at 256nit encryption but this is no longer allowed by sesame.

  30. @ Richard Ross and Harry Baldwin:

    The solution you talk about (messaging via secure websites) already exists with True Potential.

    Ian McKenna talked about it in a previous MM article here:

    http://www.moneymarketing.co.uk/analysis/tales-from-the-encrypt/194697.article

    As far as I know they were the first to do this – I attended one of their seminars in October when they launched this – reference was made to the problems Sesame were having with email encyption back then.

  31. Welcome to the 21st century sesame IFA’s. Firstly the comment a few above regarding the mandatory requirement for clients to download the software is a breach of TCF? I think you’ll find breach the data protection act and putting confidential client information at risk is a larger breach of TCF than not downloading a bit if software.

    ironically I’m guessing most of these same IFA’s send (using their un-encrypted emails) PDF documents to their clients…well you have to download Adobe reader before you can read those, an example of where technology has moved forwards in a similar respect.

    The only thing constant is change!

  32. The suggestion that we “have” to send all emails encrypted is nonsense, unless there’s a requirement for all post to be sent in a similar secure manner.

    Bear in mind Royal Mail admit that 14 million items were lost or tampered with, out of 22 billion sent each year. In the UK alone, there are around 1,000 billion emails sent every year.

    Now I accept that PC’s can have security issues and we all know organisations and Governments can lose data, but any actual losses due to interception whilst in transit are minimal. That’s why it’s wrong to focus on emails in isolation.

  33. It appears that people have the wrong end of the stick.

    The encryption software doesnt work on Citrix or small business server. It has bugs with Office 2007. There are errors appearing in the error logs with Windows 7. It causes MS word to crash due if you are a 1st Adviser Office user and the software Sesame chose runs all of the time. Not just when outlook is in use.

    The concept of encryption is not the problem. The rolling out of obsolete software or software that was designed for older operating systems/programs is the issue without making sure it worked first is the issue.

  34. @Gary Brooks. I agree! Want to go for a pint?

  35. At IFA Systems we realised a while ago that the FSA were getting hot on the security of transmission of personal data, so we introduced secure messaging as standard into many of our websites back in January 2006!!

    Combined with the abilty to store personal documents for a client online, it means that neither the emails nor the documents are transmitted, and the client can only access them by logging in to the secure area of his IFA’s website.

    This module (www.client-info-centre.co.uk) can be added to any IFA’s website, offering a service which does not require any special software.

  36. @Adam Bell – the comparison with Royal Mail is spurious – two wrongs don’t make a right. And at least with the post you can put the sensitive stuff in an envelope!

    Let me try to explain to those that don’t understand the vulnerability of email. Every time you send an email, copies of that data go through (and are held on) several dozen mail servers, often dotted around the planet, between the sender and recipient. Some copies might get archived. Others will remain there permanently. You do not know who can see it. You do not know who can access it.

    Are you still happy to be pasting copies of your clients’ personal data onto anonymous data servers across the globe? Let me know if you are, and I can avoid appointing you as my advisor!

  37. The fact that e-mails are not encrypted means they are not secure. But, the Postal System in this country is now worse than that of many third world countries. We receive post for other IFAs, other IFS’a clients, our own post goes astray, and post meant for us doesn’t arrive.
    (Add to that the fact post is often delivered at 4pm means that it is hopeless to rely on it).
    Encryption will come, but it has to be simple for recepients and senders, and above all, reliable.

  38. To Dave Green – If we follow your logic (and I am not against encryption, we just need to think about processes and getting the job done first as if we can’tr do the job because of excessive use of encryption, there is no busienss left), then as the data can be sittting anywehere in teh world and stay their long term, then sooner or later someone can get past any system (even if nto at present) if they are determined enough. That was my point when mentioning the IRA earlier and any Terrorist who is determined enough. If the wanted to assassinate the UK Prime Minister, they could if it would serve their purpose. If someone wants to target a particular client and they are determined enough, they will succeed in getting the info they are after one way or anotehr using human intel or electonic, all encryption is suppossed to do it make it more difficult to trawl things in a data format or to pick up key words like “account number and password”. The vast majority of email traffic between IFAs and their clients has less personal data than they disclose themselves on Facebook, Linked in or Twitter! For that matter if someone searched on my name on Blog sites they could probably create a timeline of my working life and input it in to a psychometrid test to find out what makes me tick!

  39. Interesting how things are taken out of context.

    I am 100% for encryption.. Data that could be of use to a third party should be protected… I never stated that it shouldn’t be. The comments that were made by myself and other IFA’s were not to do with whether encryption should be in place, more that that the software Sesame are using itself does not exactly inspire confidence.. What should have been a relatively easy installation implementation and operation was not.

    It is still not operating properly in certain areas (remote access / certain browsers) and that on making enquiries one is led to believe that you are the only IFA with these problems. From speaking to others that have taken it on board – this is clearly not the case.

  40. I think the first point is that Sesame are actually doing something about secure e-mail, where others have just been talking about it, so I commend them for this.
    Maybe the more important question is whether we should be using e-mail at all for sensitive information? well from my point of view, not in the current way as it is not safe.

    As discribed above, Dave Green is right, the way e-mail works and it is transmitted around the globe, it is not a secure transmission medium. So the things that fiction writers have been talking about like Dan Brown’s Digital fortress, with Government and criminal super computers analysing our e-mail traffic, are they true…whether they are true or not, and that people, governments or criminal organisations are actually scanning our e-mails we do not know. The sheer fact that we do not know where or who is storing our e-mail with that potentially sensitive data on it, should be enough to either not use e-mail at all or go with the times and use an e-mail encryption solution. Also given the speed of computers today it would not suprise me, if you can search through millions of e-mails looking for key words…

    I have played with a few e-mail encryption solutions and this has been one of the best. I found it is easy to register and the first couple of times I did not even have to down load software to read the e-mails- they have something called zero download. This is not as quick, so if you can use the software download.

    I have had none of the said problems with my computer or other applications and other than it asking me for my password each time, i think it is a great tool.

    Somebody also mentioned HTC phones (i assume like mine, it is a windows device), if you use the zero down load you can open up your e-mails on the phone. It can be a little bit fiddly with the questions, but it gets you there.
    Maybe like most new things or the fact that people don’t like change, it can be difficult at first.

    I would say give it try or don’t send e-mails that may have potentially sensitive data on them, including passing your bank account details…

  41. I think it’s a great step that Sesame have taken, as it really is time that networks took data security as seriously as their clients do. Sadly as they are the first to be proactive, they are going to get the biggest kicking, however we should probably take a minute to think about what the other networks are doing, and I’m willing to bet that the silence is very telling.

  42. The biggest issue here is the complexity.

    Firstly, a secure email solution does not address the core issue of sending data to the wrong person. If you accidentally send a secure message to the wrong recipient using this solution, then the wrong recipient will receive it and you will still have a data breach.

    One of the most secure means of sending data is to send the data in an encrypted attachment (use Winzip v11 and select AES 128bit and then use a strong password). Send the email using your normal email system and then telephone the intended recipient to let them know the password. This protects against accidentally sending the message to the wrong person (unless you then accidentally phone the wrong person too, which is far less probable).

    Unfortunately, sending encrypted attachments is cumbersome and difficult to manage for anything other than ad-hoc communication, so alternative solutions are needed.

    I fully support the need for secure messaging, but the Trend Micro solution is fairly new and not well established in the market. There is also a potential single point of failure in so far as the key management server is 3rd party. Yet to be tested to find out what would happen if the server was compromised. The Trend Micro solution may also be unacceptable to banks due to concern over the 3rd party server. It may take a long time to get this issue to align with the APACS requirements.

    From what I’ve heard, many banks are now moving to PGP and PGP is not interoperable with this Trend Micro SecureMail solution.

    All this, and it still doesn’t address what is probably the most likely cause of a breach (sending to the wrong person), so it’s not clear if it achieves a lot other than a tick-box exercise to say that they’ve done a good job. It addresses the issue of an email being intercepted while it’s on the public network, but I don’t believe that is a significant risk compared to other risks.

    More work needed guys.

  43. What exactelly is the risk being managed here ? Has anyone thought to consult the DPA for an interpretation of the rules. Is this scare tactics from salesmen with solution but no requirement ? I have yet to see an issue with client confidentiality that this solution will address, ie the transfer over the wire of clear text emails. The issues are where they are stored, and transported on media such as Lap Tops and Pen Drives. The solution will simply encourage the sharing of accounts to de-encrypt (which is a bigger issue), the use of fax (which is much less secure when received sitting on a fax machine or being sent to the wrong number. This doesn’t look like progress

  44. TCF : The receipt of encrypted emails immeadiatelly raises concerns about how organsiations will be able to effectivelly scan emails for unsuitable content/malware etc. I am informed that the supplier of the “secure” email solution is able to provide a solution, for a cost.
    The cost of replacing the old with a new will ultimatelly be borne by the consumer I assume, this all looks a ittle none TCF

  45. TCF : The receipt of encrypted emails immeadiatelly raises concerns about how organsiations will be able to effectivelly scan emails for unsuitable content/malware etc. I am informed that the supplier of the “secure” email solution is able to provide a solution, for a cost.
    The cost of replacing the old with a new will ultimatelly be borne by the consumer I assume, this all looks a ittle none TCF

  46. EtYG6W nngfkmzpoile, [url=http://heddgqdzhpvf.com/]heddgqdzhpvf[/url], [link=http://pjlqqxheahbi.com/]pjlqqxheahbi[/link], http://gvdosysgxmqi.com/

  47. As many advisers predicted this has been a nightmare. The tech sesame have chosen doesn’t work it’s now an 8 week turnaround for trend micro to return a call for support as the software wont function on so many PCs.

    The workaround leaves advisers without an audit trail for emails sent.

    In the meantime every encrypted email that gets sent from an adviser to Sesame (my experience) either can not be opened in that department as their software is not working properly or appears never to arrive, and with the “workaround” you can’t request receipts. So you get asked to re-send confidential info unecrypted.

    Then to juxtapose this you get emails from compliance that are encrypted with 15 attachments which using the workaround takes you 10 minutes to open and save to your PC to find it’s stuff that is not remotely confidential.

    In the meantime firms that had already put encrypted email in place and had it working fine are not allowed to use their own solutions as yet again Sesame tech have designated poor software as the chosen solution that you MUST use,

Leave a comment