Email is about as old as the web itself. In the 1960s, when the internet was barely in existence, its creators would send emails to one another to communicate.
The online community was miniscule, limited to a handful of men with computer access who hardly anticipated that their rudimentary message service would from the backbone of digital communications for decades to come. For a wealth of reasons, the original email users didn’t develop the system to be secure – and it remains that way today.
In fact, there are several insecurity issues with email, even in 2020. By default, email is vulnerable to all sorts of attacks, and it is up to you and your business to add on email security tools. Here’s an in-depth look at some common email insecurities and some viable solutions for them at the enterprise level.
Message Disclosure and Modification
When you send an invoice through the mail, you are trusting that no one will rip open your envelope and read your message. The same is true of email: Your emails are sent in plain text across the web; anyone with the right tactics can peer into them and steal any secrets they contain.
Perhaps worse, third parties can also change your email message, potentially wasting your business time, energy and money.
From start to finish, your emails are available in up to five different locations: on your device, on your network, on your recipient’s network, on your email client’s servers and on your recipient’s device.
Plus, emails can be compromised before you send them and after they arrive in your recipients’ inbox if one or the other of you isn’t careful about protecting your devices with passwords, firewalls and other security measures.
A simple and cost-effective way to keep a mailed message classified is to use a code – and, again the same is true of email. Encryption is a term that means translating plain text into a code.
In the digital age, computers use algorithms to accomplish the task of encryption, creating incredibly sophisticated codes that are uncrackable without a specific key.
There are two strategies for encrypting email to keep it safe: encrypting messages or encrypting network connections. The first keeps a message safe regardless of where it travels, and it protects the message on your and your recipients’ devices.
However, encrypting individual messages can be time-consuming and messy, requiring you to swap encryption keys with everyone to whom you send messages. Plus, your emails metadata – email addresses, subject lines, date – remain in plain text for anyone to read.
In contrast, encrypted networks are much more streamlined, pre-programmed with keys. All information sent over the network, including your emails, are encrypted, but that encryption ends once your email reaches the email provider.
Often, emails are stored in plain text on servers, and if your recipient’s network isn’t encrypted, emails will be in plain text there, too. It is up to you and your IT team to determine what type of email encryption makes the most sense for your business.
When your personal assistant sends you an email, you open it. You know the email is from your PA because their email address is labelled “from” – but there is no built-in mechanism for verifying whom an email comes from, so there is no reason you should inherently trust that email is from your PA.
In truth, that “from” field is incredibly easy to trick, so almost anyone can send emails “from” somebody else.
This practice is called email spoofing, and it is a simple but effective method of infiltrating organizations. An attacker might spoof a higher-up employee’s email address and send a message to a lower-level employee, asking them to download an attachment.
Unbeknownst to that employee, the attachment contains malware which compromises the business network. Alternatively, attackers might spoof an email from IT, directing an employee to a fake website where they are instructed to enter their corporate login credentials. Then, attackers have legitimate access to business accounts.
You can’t eliminate spoofed emails, but with email security tools, you can mitigate them. More aggressive spam filters will be more effective at catching even the best spoofs, and you can file Domain-based Message Authentication, Reporting and Conformance(DMARC) records, which help to flag illegitimate emails and keep them out of user inboxes.
Email seems foolproof, but if you aren’t careful, email can make a fool out of your business. Just because a service has existed for decades and is integral to business functionality doesn’t mean it is totally secure.
You should learn more about how to keep your emails safe, educate your staff and utilize security tools that reduce email-related risk.