There’s a tendency to believe that the dangers of email hacking are mostly hype. If you’re anything like me you look over the fairly pedestrian contents of your inbox and wonder why anyone would even bother trying to get at them. Are complicated passwords really necessary to protect messages about work flows and projects that could only really interest the people working on them? If you’re running a business, every dollar already has two jobs to do. Does it really make sense to spend money on consultants and software to protect emails?
In fact, one of the biggest risks to company data is the masses of unstructured information that’s held in emails and other communications. Emails themselves are at risk, and so are documents attached to them. Additionally, the body text of work emails can contain the information needed to hack other business systems.
Email is the oldest communication system you’ll probably use today – even your mobile phone basically uses the same tech as Skype and few of us use landlines much, but email is over 40 years old. When it was conceived, cybercrime was science fiction, so security wasn’t top of mind. As a result email is wildly unsecure. The contents of emails travel across the internet in plaintext, meaning anyone who intercepts them can read them without any special effort, just like picking up a postcard; no envelope means no privacy, which for businesses means no protection
What can you do to protect your company from cybercriminals preying on the vulnerabilities of email?
1: Encrypt your emails!
You can write your emails in a complex code known only to you if you like, but most of us will need something a little less tinfoil-hat. Try PGP or S/MIME. PGP stands for Pretty Good Privacy, and it is pretty good, and easy to set up, though it has the defect that it’s not very easy to integrate with standard corporate email apps like Outlook. S/MIME is Secure/Multipurpose Internet Mail Extensions, and the good news is it’s also fairly easy to set up and it integrates well with corporate systems. Sadly the bad news is that it’s certificate based, and each user needs their own, independently-verified certificate. That can become time-consuming and expensive.
These two methods are called Public Key Infrastructure-based encryption, have been around for a long time and have never really caught on. What else is there?
Portal email systems use a secure portal system. You go to the portal and pull your email rather than having it ‘pushed’ to your email address in plaintext – an inconvenience which explains why you’ve probably used this method at your online banking service and nowhere else. Some managed IT providers offer email encryption services, and there are commercial encryption services available that plug directly into email apps, like Voltage for Gmail or Sophos for Outlook.
Other options include restricting email usage to non-critical data and attaching encrypted files to the messages, both of which are constricting. For the majority of businesses, either cloud encryption as part of your IT as a service or third party encryption software is probably the most appropriate method.
