It’s time to get serious about email security

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

serious email securityIn today’s hyper-connected world, email is the foundation of every organization’s collaboration, productivity, and character. And despite annual rumors of its demise, there’s no reason to believe we’ll be writing its eulogy anytime soon. With its ubiquity and universal appeal, email is a treasure trove of sensitive business information. That’s why emails leaks aren’t just data loss events. They’re direct attacks on your brand and reputation.

Despite team collaboration and communication tools like Slack and HipChat growing in popularity, people sent about 120 billion business emails per day in 2017. Employees willingly trust email enough to share their most confidential thoughts and ideas, intellectual property, medical information, and more. According to LinkedIn’s 2017 Cybersecurity Trends Report, employees are 50% more likely to use email to exchange sensitive files, rather than using a cloud service like Box or Dropbox, resulting in 63% of employees sharing sensitive data over email. If data protection is a priority for you, that’s a big issue.

The problem’s only getting bigger

The amount of sensitive information sent through email is accelerating – day over day, year over year. At the same time, our confidence in our ability to protect these communications is rapidly dwindling. It’s a troubling paradox. That same LinkedIn Cybersecurity report showed that while more than half (54%) of security professionals are concerned about protecting sensitive information sent through email, only (12%) of security leaders believe email security solutions are effective. That’s a stark disconnect.

As our industry grapples with this problem, the number of damaging data loss events are only accelerating. From the massive Deloitte hack that compromised the emails of an estimated 350 clients, to 73 healthcare-related data breaches reported to HHS this year, these high-profile breaches are a wake-up call that email security must be a top-priority initiative. So why haven’t companies made the investment to reverse this trend and deploy more secure email communications?

“The reason email is so widely used is that it works so easily. People can use any email client, on any device, on any operating system to send messages to anyone else in the world.” – Alan Lepofsky, Constellation Research

A brief history of email security

The underlying challenge here is that email was never designed to be a secure, controlled protocol. 40 years ago, security or anonymity wasn’t part of the design. The routing and labeling protocols clearly state what computer sent it or forwarded it, what computer received it, and what time all this happened. Unfortunately, with email these are inherent weaknesses.

As a first attempt to address email security’s shortcomings, businesses relied on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping a private key they can use to decrypt or encrypt messages. The first version of Pretty Good Privacy (PGP) encryption was created in 1991 and following that, a handful of other early-stage protocols emerged, including (GPG), S/MIME, and TLS.

In an attempt to address some shortcomings of these encryption methods, a gateway-based model emerged. The basic security functions that every email security gateway performs are fundamentally the same, running the spectrum from antivirus, anti-malware, anti-phishing and anti-spam. It’s important to be aware that this does not imply all gateways are equally effective when it comes to detecting and stopping threats. And while legacy services like PGP can be sufficient for protecting email messages, email encryption tools failed because users experience friction that interferes with workflow and productivity.

Still today, PGP and the majority of email encryption solutions, have been criticized for being cumbersome and nearly impossible to scale across the enterprise. The last thing an organization needs to hamstring themselves with new technology they are trying to implement. The inconsistency of the applications and lack of persistent security and control across clients and services plays another huge role in why past solutions have come up short.

The paradox of email: Trusted, but not secure

In 2018’s edition of the “when will email die” story, Alan Lepofsky of Constellation Research summed it up perfectly: “The reason email is so widely used is that it works so easily.” When it comes to mass adoption, this is essential. And we know from experience that email is the standard we unconsciously compare all new communication tech too. And if it’s harder to use than email, if it requires additional steps, new logins, or new apps, most of us go back to our default.

This is where the inherent paradox of email rises. Because of our familiarity, we inherently trust the system. Deals are made, backs are stabbed, and relationships built over email. Sensitive data is shared, jobs are won, and secrets are shared. We trust in a system not because it’s secure, but because it’s comfortable. So, if we are going to successfully address the challenge of protecting the most powerful communication channel on the planet, we have to keep this familiarity, inherent trust, and user expectation in mind.

It’s 2018: we have to do better

And to do that, we have to focus on the challenge of protecting data, from the moment it’s created, until it’s no longer needed.

For enterprises, it’s a multi-pronged approach encompassing comprehensive security protocols and employee education. When selecting the right tool remember, the strength of email is its universality. The solution you choose must work across multiple platforms – Gmail, Outlook, Apple Mail, Yahoo – and it must have persistent and dynamic security built in. The moment we start to exchange information, whether it’s through email or external file shares in Box, Dropbox or OneDrive, you’re exposed to countless vulnerabilities. Only if the tools allow you to set policies and give owners the opportunity to change them in real time if needed (recall, watermark, time bomb, etc.), can you protect against unwanted sharing and forwarding.

A successful, secure email strategy also depends on a simple and intuitive user experience. One that will maintain persistent and dynamic secure, not matter where it travels, and one that can protect confidential communications, classify messages, and be able to change access rights in real time. There are a number solutions in the market to consider and I suspect this space will continue to innovate as new and more advanced threats infiltrate our servers, networks, and inboxes.

Hopefully in 2018, we’ll see more companies adopt better identification methods and email security solutions, and keep not just their, but ALL of our data secure. Happy sending!