The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on October 21, 2018

The 7 deadly sins of email security

The 7 deadly sins of email security
Mark Forrest
Story by

Mark Forrest

CEO, Cryptshare

Mark Forrest is CEO of Befine Solutions AG and its U.S. subsidiary Cryptshare, a secure communication solution for the exchange of business Mark Forrest is CEO of Befine Solutions AG and its U.S. subsidiary Cryptshare, a secure communication solution for the exchange of business sensitive information. He can be reached at [email protected]

Email is one of the most fundamental forms of business communication today. Not many of us can imagine our lives without it.

But with one in every 100 emails disguising a hacking attempt, what can we do to better protect ourselves against those nefarious bandits wanting to get to our sensitive data?

Considering that more than 205 billion emails are sent daily across the Internet, one would be forgiven for thinking, with apologies to Mark Twain, that reports of its demise are greatly exaggerated.

Yet, some argue that  its days are numbered. With several alternative forms of digital communication available, we need to seriously consider the risks and benefits associated with email.

This article explores what are, to my mind and in my experience, the seven most critical and resolvable risks associated with email. By identifying these risks, we can be better prepared to address the security challenges and privacy concerns email delivers.

The 7 deadly risks

Let’s first recognize that email was never designed to be a secure form of communication. It’s much like a modern-day postcard, the information is there for anyone to see. Just cast your minds back to the turn of the century when attacks took the form of the promise of nude photographs of a certain female tennis player.

These were easy to spot and just as easy to ignore. Fast forward to the present with cyber threats becoming increasingly sophisticated, fooling even the most security-conscious person.

From an internal communications perspective, email is still a popular platform for colleagues to share information. But while it is relatively easy to encrypt these messages, scanning for malware, archiving documents, poor security hygiene by insiders, and even data leaks from disgruntled employees all have the potential to compromise a business.

Once you start communicating with people outside the organization (and the relative safety of your business firewall), it suddenly becomes more like the Wild West.

By design, an email can pass through many hands from sender to recipient and can be copied, scanned, or read at the press of a button. There‘s nothing to really stop a business partner from forwarding sensitive information to one of your competitors.

Additionally, while reliable, you never know for certain if a message has been received, read, or even intercepted in transit. In a nutshell, email has incredibly weak auditability. There’s nothing easier than simply saying “Sorry, I didn’t get your email” rather than admit to deleting it or not having read it.

This has resulted in an increase in spoofing attacks. Essentially, these create a fake mail that looks authentic and can slip through security barriers. Once opened, it can entice the reader to share important information, click on a link, or download an infected file.

As our documents get larger (thanks to the richness of the data contained), it becomes increasingly difficult to send those from within the company.

This has resulted in the emergence of ‘Shadow IT’, the reliance on consumer platforms outside the security of the enterprise to send large files. This is also one of the greatest risks to business information as these tools do not offer the same security level to safeguard sensitive data.

You know how easy it is to dial a wrong number. It’s equally easy to send an email to an incorrect address. Often, this results in a ‘bounced mail’. However, there is always the chance of it landing in the wrong inbox.

If this was just an office joke, then no big deal. If it’s a highly confidential budget, then the repercussions could be significant.

This brings us to the bane of many IT personnel’s existence – weak user passwords. Any email account consists of a user name and a password.

Of course, the user name is inevitably the email address with many employees picking their own passwords. The risk with this is that if the password is compromised, then a hacker has access to all your emails and can even send messages posing as you.

Not all bad

But despite the risks, email does provide numerous advantages over the recent, trendier forms of communication available.

Unlike WhatsApp, Slack, or <insert favorite messaging platform here> everybody has access to email. Plus, it doesn’t matter if you use a proprietary or open platform, email programs can ‘talk’ to one another.

Another advantage is that email is persistent. In layman’s terms this means you can still search and reference emails from years back. Security programs can just as easily scan and check emails before they are sent or received, providing an additional layer of security.

Furthermore, because it is so compact, you can send an email using any internet-enabled device whether you are in downtown New York or on safari in Kenya.

Something different

So, I mentioned WhatsApp and Slack as two alternative messaging environments. These are useful for collaborative tasks especially over mobile devices, and a multitude of similar app-type tools have emerged.

While great for short-burst conversations, they are not ideal for managing anything that is more long-term in nature or requires an audit trail. After all, how often do you search your WhatsApp messages of even a week ago?

We see these every day and while it might be considered old-fashioned, File Transfer Protocol (FTP) services do provide a viable alternative to sending large documents.

Both sender and receiver need to log on to the system and can access information in a more traceable fashion than with email. Unfortunately, there is very little in the way of authentication or security and files very quickly add up on a server, inevitably resulting in a data graveyard of unwanted documents.

Secure File Transfer Protocol (SFTP) services, an evolution of FTP, do offer encryption to protect content. Sadly, beyond that, these solutions share many of the negatives associated with FTP.

Is email dead? Hardly.

Notwithstanding its known flaws there are ways and means to solve each of these whether your main concern is security, auditability or handling of modern content with scale.

Take steps now to secure it, be more cautious in how you access and share content through it, and just generally use your trusty email reassured that with simple enhancements it is ready for the modern world.

Take it from me, despite rumors to the contrary, email is the bedrock of modern-day communications and going to be with us for a long time.

Users need to take precautions and ensure the messages they send are protected from the prying eyes of unwanted parties, received by intended recipients, and easily tracked, managed, and stored for prosperity.

Also tagged with

Back to top