How frequently do you get suspicious emails in your inbox? And how many times have you been a victim of malware or a virus sent via an email attachment?
With the evolution of email from strictly interpersonal communication to include other uses, such as tasks notification and brand advertising, many users can probably say this has happened to them at least once in their lives.
Email as an enterprise security risk
The sheer volume of emails sent and received every day presents an extensive ground for security threats.
According to The Radicati Group, Inc.’s Email Statistics Report, 2015 – 2019:
- There were over 205 billion emails sent and received per day in 2015 alone. This figure is expected to grow at an annual rate of 3%, by as much as 246+ billion emails come year-end 2019.
- Of the 205 billion, a total of 122 business emails were sent and received per user per day, proof that email remains the primary communication channel in the office.
So just imagine how much sensitive information is being passed through those messages that, if disclosed to unauthorized recipients, could pose significant risks to a company or organization.
Regardless of the device you use to send emails, i.e., desktop client, web email, or mobile app, email security risks are widespread. These are not limited to the ever-present spam messages you get in your inbox, which oftentimes are nothing more than a nuisance. There are other ways where email security can be compromised.
The more sophisticated forms can include:
- Phishing
Phishing is designed primarily to steal money from a user. Cybercriminals pretend to be your bank or another trustworthy entity then dupe you into giving out private information like usernames, passwords, and credit card details.
Sometimes, they even ask for cold cash.
- Malicious codes
Malicious codes often pose as executable applications (.exe files) that auto-activate themselves on your device and take on various forms. Once executed, a cybercriminal is granted unauthorized access to the attacked system, which can then expose sensitive enterprise data.
What’s more, not all antivirus software may detect malicious codes.
- DDoS (distributed denial of service) attacks
Email can be used by attackers to spread malicious software. An infected system is then remotely controlled to overwhelm a target server with huge volumes of traffic, causing it to shut down.
In other cases, email bombs may be sent to an email address in an attempt to overflow the mailbox or cause the email host server to crash.
- Insider threat
An insider threat is a malicious hacker who may be a legitimate (disgruntled or former) employee, or an outsider with false credentials. They aim to cause harm to the enterprise through the introduction of viruses, worms, or malware.
Others hack a system to obtain proprietary data which, in turn, can be used for personal gain, monetary or otherwise.
According to Dr. Eric Cole, a SANS faculty senior fellow, “most insider attacks to enterprises are accidental, not intentional.”
Since infiltrating a system from the outside won’t always be easy, what cybercriminals do is trick an employee into giving out sensitive information via social engineering. Unwitting victims or insiders are then persuaded into running email attachments containing malware or click on infected web links.
That email security threat called human error
But while most entities look for flexible solutions to meet the growing need for email security, one fact is often overlooked:
Accidents can and do happen.
Data breach is sometimes caused by human error, e.g., accidental data leakage from outgoing emails.
A post in the SafeSend blog calls outbound emails the “chink in our security armor” and “a gaping hole in our protection,” stating that security measures are often employed to inbound emails, overlooking the fact that outgoing emails are vulnerable, too.
In its 2015 Data Breach Investigations Report, misdelivery is the most frequent error cited by Verizon when it comes to accidental proprietary data disclosures, 30.6%, followed by capacity shortage at 29.5%.
The report further states that over 60% of incidents are attributable to errors made by internal staff and system administrators.
More than embarrassment, results can be disastrous. Take it from the case of Gwent Police in 2010 when one of their officers unwittingly sent an unencrypted spreadsheet containing criminal records checks results to a journalist.
And then, there’s the case of US presidential aspirant Hillary Clinton. You may have heard of her alleged misuse of email correspondence when she was the Secretary of State. Clinton is said to have mishandled sensitive information when she used her private email server rather than the official State Department’s.
In a recent Washington Post report, the State Department publicly acknowledged that the emails that passed through the private server contained “top secret” information.
How to protect yourself and your organization
So how can we protect ourselves from email security threats and blunders? There are a number of useful resources on the web that present suggestions on how we can.
The Federal Communications Commission lists some guides on how to protect yourself online, especially from phishing and online scams. Among the steps listed are:
- Never responding to spam
- Disabling the auto-download feature for email attachments
- Considering using two email addresses: one for companies or groups you do business with, another strictly for personal use
- Using the bcc line when sending a message to a group of people who don’t know each other to protect their addresses
Another valuable step to safeguarding your email is to encrypt your files before attaching and sending them out. But be sure to share encryption passwords safely.
This article on information security suggests that password sharing by phone, text message, or in person is more secure than email. Just ensure you’re calling the right person or sending the message to the right number.
PCWorld also provides a step-by-step guide on how to encrypt your email.
Other security measures include:
- Rigorous archive and backup processes
- Use of anti-spyware, anti-virus, and anti-malware programs and firewalls
- Running applications that are common malware gateways (email clients and web browsers) in separate virtual machines, as Dr. Cole suggests
- Using software that forces you and your staff to confirm an outgoing email’s attachments and external recipients
Bottom line, no matter how strict your deadline is or how urgent the need to send a document, it’s better to spend a few seconds safeguarding your enterprise data than face the irreparable consequences of a security breach by accidental disclosure.
Also remember to not completely put your trust in the auto-complete feature. Double-check those recipients – and attachments, too – before clicking the Send button.
*Jasmin Kabigting also contributed to this article.