How secure is email? The short answer to this question is – not secure enough, the long answer is a bit more complicated.
To begin to understand the question of email security, it is worth taking a trip back to 1971 and the world inhabited by Ray Tomlinson in Cambridge, Massachusetts when he sent the very first email to himself. It was a simpler time, Led Zeppelin topped the album sales, the internet was still some 12 years away, and, crucially, the first computer virus would not appear until 1986. Today cybersecurity is a vital business consideration, but in 1971 the concept of cybersecurity did not even exist.
The point here is that email, this most ubiquitous of tools, was built for a different world. For all the developments in technology we have witnessed, email has never really evolved. It is today, for the most part, the same tool that was used in 1971. While security measures such as encryption, two-factor-authentication, and VPN can help boost email security, there are still many dangers lurking within.
How Secure is Email – Security Risks
Email – to put it bluntly – is a hacker’s dream. In fact, research has shown that over 90% of cyber attacks occur via email. While email remains constant, cyber threats are evolving at an alarming rate. Any software security system is only as strong as its weakest link, and, for too many companies, email is the weakest link.
In answering the question of how secure is email – there are a number of email security risks companies must consider. Below is a list of some of the most common email security threats.
1. Phishing Attacks
Phishing is a form of social engineering where a hacker imitates a trusted entity and tricks a victim into opening a malicious email or text message. Once the victim opens the email, they will be taken to a fraudulent link which can contain malware or even ransomware. Businesses and individuals that fall victim to phishing or spoofing attacks can face devastating consequences such as the stolen data, financial loss, reputation damage, and a loss of customer trust. If you receive an email from an organisation with a link unexpectedly, for example without having just taken a previous action, such as an online application, you should contact that organisation before proceeding.
2. Attachment Risk
Companies who use email to collect documents from unknown or relatively unknown third parties are leaving themselves wide open to cyber attacks. Attachments, in particular, are a notorious danger area and have been used by cybercriminals to install ransomware, keyloggers, and even launch zero-day attacks. Even attempting to open a malicious attachment can be enough to install malware on a victim’s computer or network.
3. Domain Squatting
This attack occurs when cyber criminals register a domain name that seems reputable or is similar to an established organization. From there, attackers can send phishing emails from this domain to steal data or infect victim’s and organizations with malware.
4. Human Error
As you consider the question – how secure is email – you can not overlook the human factor. Even with added layers of security such as encryption and firewalls – there remains the potential for human error. Email addresses are entered manually and a simple typo can have unfortunate ramifications. Take, for instance, the process of sending and e-signing documents between organizations – entering the wrong email address here could mean highly sensitive documents falling into the wrong hands.
5. Non-Compliance Risk
The introduction of GDPR and other laws means that the way companies manage and store personal data is coming under increased scrutiny. Sharing personal data via email is a high risk policy and, in many cases, this data is forgotten about and stored on email servers which can result in GDPR non-compliance and potential fines. Worse still, if this non-compliant data was to be stolen, companies would face difficult questions about how or why this personal data was still on their email servers.
How Secure is Email – Email Security Best Practices
To mitigate the dangers posed by email, there are a number of email security best practices to follow.
1. Use Two-Factor Authentication
Most email service providers now offer the option to switch on two-factor authentication – which means adding a second authentication factor to the login process. An example would be to use a combination of password and a one-time code sent to the user’s phone via sms. Two-factor authentication is a simple but highly effective way to minimize the scope of attack.
2. Encrypt your emails
Encryption is an important part of email security. By encrypting your emails, you can go some way towards ensuring only the intended recipient of your email is able to read it. Without encryption, a hacker who intercepts an email would have access to the email’s content, with encryption the hacker would need a decryption key to access the intercepted email. There are different levels of encryption with end-to-end offering the highest level of security, and there are a number of different tools available for companies looking to strengthen their email security.
3. Run Employee Email Security Awareness Training
Much of the risk around email security boils down to human error. Mistakes such as mistyped recipient email addresses, opening dangerous attachments, and clicking malicious links are all avoidable. By incorporating email security awareness into employee training, employees will start to follow best practices and quickly spot any questionable emails and links that make it through to their inboxes.
4. Implement Secure Document and Information Collection Processes
One of the biggest security mistakes companies make with email is using it to collect documents and information. Email, while convenient, is not suitable for this purpose. An example would be the way many law firms still use email to collect personal data and documents from new clients – leaving themselves wide open for many of the issues we have already discussed such as lost personal data and opening attachments from relatively unknown sources.
Today, many companies are moving away from email as a data and document collection method and looking to tools that automate and secure this entire process. These tools, alongside numerous productivity benefits, help companies to remove a potential entry point for would-be attackers.
5. Install Antivirus Software
There are many advantages to using antivirus software – it can detect and eliminate viruses on your computer, block spam, protect files, and can also act as a preventative measure against future infection. In a situation where a victim opens a malicious email, the two-way firewall protection provided by some antivirus software solutions can block and remove harmful files.
6. Log out!
Last but not least, it is best practice to log out of your email at the end of your work day – a simple, yet highly effective step to protect you and your company. In a situation where a device is lost or stolen, a logged-in email account presents an additional set of problems.
Bonus Section: 5 Cybersecurity Experts to Follow
Email security, indeed, cybersecurity in general, is a rapidly evolving area. Cyber criminals are constantly evolving and figuring out new ways to attack. One way you can stay on top of email security is by following the leading minds in cybersecurity on their social channels. Below – in no particular order – are five experts we would recommend you follow as you weigh up the question of how secure is email.
Kevin Mitnick
@kevinmitnick
LinkedIn
Our first entry is the legendary Kevin Mitnick – who once hacked into dozens of major corporations, just to see if he could. Unfortunately, these exploits led to Kevin finding himself on the FBI’s Most Wanted list and going on to serve five years behind bars. Thankfully, Kevin’s insatiable curiosity and passion remained, and, upon his emergence from prison, he went on to become one of the world’s most trusted security consultants to the Fortune 500 and governments worldwide. Kevin’s expertise is regularly sought out by the media and he has written a number of books including the New York Times best seller ‘Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker’.
Shira Rubinoff
@Shirastweet
LinkedIn
YouTube
The great Shira Rubinoff is a groundbreaking cybersecurity executive, cybersecurity & blockchain advisor, global keynote speaker and influencer. She has built two cybersecurity product companies, and led the charge on a number of multiple women-in-technology efforts. Her YouTube Channel is a must-follow and is where she runs a regular Cybersecurity video series as well as sit down interviews with other experts in the space. Many leading Fortune 100 companies have turned to Ms. Rubinoff for guidance and vision in the area of cybersecurity.
Graham Cluley
@gcluley
LinkedIn
@SmashinSecurity
Fighting cybercrime since the 1990s, Graham Cluley is the host of the excellent Smashing Security podcast. As a highly influential figure in the cybersecurity world, Graham is regularly sought out by the media for his take on the latest developments. He has a background in programming and wrote the first ever version of DR Solomon’s Anti-Virus Toolkit for Windows and also spent time in senior leadership positions for companies such as Sophos and McAfee. If you want to keep on top of the latest trends in cybersecurity, Graham’s blog is a fantastic resource.
Brian Krebs
@briankrebs
LinkedIn
Having written extensively on the topic of cybercrime for the Washington Post from 1995-2009, Brian has established himself as one the world’s leading writers on the topic. His stated professional goal is to make the important computer security issues understandable, interesting, and timely for readers – a goal which he continues to deliver on in his excellent website KrebsonSecurity.com.
Dr. Magda Chelly
LinkedIn
@m49D4ch3lly
Dr. Magda Chelly is one of the most influential people in cybersecurity today. She has appeared on many TV and media outlets and appeared on the documentary, “The Dark Web”, providing insights into cybercrime. Dr. Chelly has also worked as a security leader at leading multinationals and now spends most of her time supporting chief information security officers in their cyber security strategy and roadmap. She is active on Twitter, keeping her followers up to date on the latest cybersecurity insights and is a must-follow for anyone who wants to stay on top of ever-evolving cybersecurity threats.
