In the last decade, the world of cybercrime has been a growing industry. Per the Official 2019 Annual Cybercrime Report performed by the Herjavec Group, cybercrime is projected to create global costs of $6 trillion, a cost increase of 100% in just five years. In response to this growing and evolving threat, companies have been forced to look for vulnerabilities in their perimeter defenses, and then enact further security controls.
A common theme of such assessments has been that the most exposed area of any company is their email security. So, if you’re looking to revamp your cybersecurity, a great place to start is with your email. To that end, below we’ll discuss the particular threats shoddy email security poses to your business and recommended steps you can take to better protect it, including email encryption.
Read on to find out ways to improve your email security.
Your Chief Security Problem
As data breaches have become a mounting problem, companies are understandably troubled by all the potential gaps in the line. And since, in their minds, each one represents a potential doorway through which hackers could enter and thus gain access to systems and vital data, many businesses make the mistake of viewing all of these vulnerabilities as equal concerns, with each requiring its due attention.
While there’s something to be said about shoring up defenses, all too often businesses ignore or downplay the most glaring security threat—their employees.
Regardless of the industry you inhabit, there’s a universal cybersecurity truth that applies to just about every business; employees are the primary security problem. Rarely is this due to malicious actions; instead, it’s typically the result of employee negligence, inattention, or incompetence. To that point, the Ponemon Institute’s 2018 State of Cybersecurity in Small and Medium Size Businesses had this to say about the security threat employees pose:
The risk of negligent employees and contractors causing a data breach or ransomware is getting worse. Sixty percent of respondents in companies that had a data breach say the root cause of the data breach was a negligent employee or contractor, an increase from 54 percent in 2017. Sixty-one percent of respondents say negligent employees put their company at risk for a ransomware attack, an increase from 58 percent of respondents in 2017.
Typically, employee negligence is the result of flawed thinking. They presume that nightmares like data breaches only happen to other outfits. Such attitudes result in bad practices:
- Weak passwords that remain static
- Clicking on suspicious links
- Accidentally downloading malicious apps
- Bringing their own devices to work
- Sharing files on personal devices over the cloud
- Using work devices on public Wi-Fi
The Threat of Email
Email is an especially dangerous security vulnerability that many businesses fail to adequately protect, despite the fact that it’s often a business’s primary form of communication. Without fail, it’s the primary area where employees, time and again, inadvertently open up the sally ports to the invading hordes. Not to mention that each message could potentially contain:
- Sensitive messages
- Employee’s personal information
- Costumer’s vital data
- Proprietary intellectual property
To make matters worse, with an email, both the inbox and the sent messages themselves present lurking security problems. You have to guard against both direct attacks and message interception. As a result, both of these potential threats need to be addressed.
The most common form of email attack lies in your inbox, particularly in the form of a phishing scheme. At its essence, a phishing attack involves a scammer sending emails to trick your employees into providing them with personal information such as bank information, social security numbers, account numbers, or passwords.
On the surface, these messages will look like a legitimate, familiar company such as a bank, credit card, Google partner, or social media site. Per the Federal Trade Commission, common phishing attacks will:
- Say they’ve noticed some suspicious activity or login attempts
- Claim there’s a problem with your account or your payment information
- Say you must confirm some personal information
- Include a fake invoice
- Want you to click on a link to make a payment
- Say you’re eligible to register for a government refund
- Offer a coupon for free stuff
While modern email applications do a fairly decent job of safeguarding you from such attacks, typically by filtering phishing emails into spam, they’re not infallible and may have issues detecting newer or more sophisticated plots. Further, employees still have the ability to enter into spam and click away, which is yet another reason why employee education is so critical.
Man in the Middle Attacks [MitM]
MitM attacks are a common form of transit snooping, wherein a third-party intercepts and reads the information contained within that message. Such spying not only exposes your business to having vital or proprietary information stolen or released early, but it also provides hackers with a framework to build out a form of phishing known as “spear phishing.” Simply put, this is a targeted attack wherein the hacker gains enough establishing or verifiable information to reliably pose as if they were a contact in your network.
These days, there are two primary forms of MitM attacks:
- Proxy intercept – The most traditional of the MitM attacks, it necessitates that the hacker gains access to your router and then sets their device as a proxy, which will then also receive anything you send out.
- Man in the browser [MitB] – Similarly, MitB attacks rely on malware that, unbeknownst to the user, is already loaded onto their personal computer or mobile device, likely via a phishing attack. The malware then dredges up account or financial information.
Improving Your Security Through Email Encryption
There are a variety of actions you take on a daily basis to obfuscate or protect your personal property from theft. For your home, this might involve adding locks on doors, a wall or fence around the property, blinds on windows, and cameras around the perimeter. Although these things may do little against a person who’s determined to get in, they will likely deter the vast majority of those who might otherwise consider entering your premises.
But how does it work?
According to Lifewire, “the way typical email encryption works is that you have a public key and a private key (this sort of encryption is also known as Public Key Infrastructure or PKI). You and only you will have and use your private key. Your public key is handed out to anyone you choose or even made publicly available.”
Benefits of employing such a security system include:
- Keeps private information safe – As mentioned, work emails can contain troves of valuable private data or trade secrets. Therefore, it’s imperative that you ensure that the only person who sees that information is the person you intended to.
- Prevents spam – Spam is the primary carrier for phishing attacks and malware. When you use encrypted email, the messages have a digital signature that shows that everything contained within, including attachments, is authentic.
- Saves time and money – When you use encrypted email, additional security steps become moot. It eliminates the need for multiple expensive email security programs and time-wasting protocols.
- Regulation compliance – Most every industry has a series of regulations that must be adhered to when it comes to storing, using, or sharing private information, particularly if you exist within the healthcare industry. These might include:
Should a hacker get ahold of private information, that could be a violation of those standards, which could result in a serious fine or punitive action.
Forms of Email Encryption
Today, there are two primary forms of email encryption, both meant to address inbox threats and/or MitM attacks. These are:
- End-to-End Encryption – With this form of email encryption, the message is encrypted before it is ever sent out. Once sent, it will remain in an encrypted state, rendering it impenetrable, until it has been delivered to and opened by the recipient user who has been given the public access key. Only with this key can they unencrypt the message and thus reveal its contents.
As you might imagine, an issue with such a method is that you need to create the public and private key pairs and then share them with anyone who desires to email you. Because of this, most businesses will only use such measures for mainstay clients or for extremely sensitive information.
- Transport Layer Encryption – The most popular form of email encryption protocol is known as STARTTLS. This is “A protocol command, that is issued by an email client. It indicates, that the client wants to upgrade existing, insecure connection to a secure connection using SSL/TLS cryptographic protocol. STARTTLS command name is used by SMTP and IMAP protocols, whereas POP3 protocol uses STLS as the command name.”
With this form of encryption, obfuscation takes place during the transportation layer. Should both the sender and receiver be using applications such as Gmail which support encrypted communication, MitM attacks are rendered useless, so long as the party’s devices can verify one another’s certificates.
Additional Steps You Can Take to Improve Email Security
Besides employing encrypted email protocols at your workplace, there are several things that you can and your employees can do to prevent cybercrime. Such actions include:
- Use secure passwords and update them frequently – Although it may be an inconvenience to change your password regularly, doing so is one of the best ways you can prevent a hacker from compromising your system. Per the previously mentioned Ponemon study:
Passwords are often compromised or stolen because employees use weak passwords. Forty percent of respondents say their companies experienced an attack involving the compromise of employees’ passwords; the average cost of each attack was $383,365.
Consider requiring the following:
- Employees change password every 90 days
- Employees are forbidden from writing down their password on their desk
- Password should be at least 10 characters long with a number and special character
- Passwords should not be easily guessable like “1Password!”
- Install antivirus software on every device – This is security 101, but it can’t be emphasized enough how crucial such programs are. They are your first line of defense; they won’t stop everything, but they’ll slow down the tide. Popular antivirus programs include:
- Avoid the spam – It’s crucial that you pound the message into employees’ heads; they are to neither open up spam messages nor reply to them. The only interaction they should ever have with the spam folder is to empty it periodically.
- Forbid ByoD – Recently, many businesses have decided to completely disallow employees from bringing personal devices to work or using them on the network. Taking such an action eliminates a large swath of potential Trojan horses simply waiting to gain access to your system and Wi-Fi network.
- Prevent data leakage – Whenever possible, avoid conveying sensitive information via email; instead, mail it, share it over the phone, or share it via Google Drive.
- Be wary of attachments – Although this point is unnecessary if you are using email encryption, it’s helpful to practice it in your personal life. If you are not expecting a message, particularly one with an attachment, be sure to verify who the sender is prior to opening. Once it has been clicked on, Pandora’s box is open.
Email Encryption and Cyber Security
If a hacker gains access to your system, that could result in myriad problems for you, costing you time, money, and, most importantly, client trust. Therefore, it behooves you to go out of your way to ensure that your network is safe and secure and that your employees are acting in compliance with the best security practices.
There are surfeit actions you can take to shore up your virtual defenses—email encryption is but one of many safety mechanisms at your disposal. If you need help with this or guidance in the engagement of additional layers of cybersecurity, RSI Security stands ready and waiting to help, should you but ask. So, reach out today and the team at RSI Security will do everything in our power to ensure that your business can withstand the devious machinations of cybercriminals.
Herjavec Group. 2019 Official Annual Cybercrime Report. https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf
Ponemon Institute. 2018 State of Cybersecurity in Small & Medium Size Businesses. https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
FTC. How to Recognize and Avoid Phishing Scams. https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Bradley, T. Why You Should Encrypt Your Email. (2019). https://www.lifewire.com/you-should-encrypt-your-email-2486679
Limilabs. SSL vs TLS vs STARTLS. https://www.limilabs.com/blog/ssl-vs-tls-vs-starttls-stls