June 3, 2020
Email is insecure.
If you want to learn why you should consider encryption to secure emails, you may want to know where the threat comes from, to begin with. Such an approach will allow you to get things ahead of the curve and define the solution that will help to keep your business email correspondence protected.
In this quick series on How to Send Secure, Encrypted Emails (and Attachments), we will:
The sooner we realize our email accounts and data within it have to be protected, the sooner we start looking for the solution to secure sensitive information we share across-the-board via email.
But have you ever wondered what danger you put your company's confidential data at when sending an insecure email?
In terms of the ongoing communication and easy-to-use way of an exchange, Email is arguably the most reliable business partner for the majority of enterprises.
Hence, the role of email increases several times and becomes highly important when you cannot tell the identity of the sender’s mail address. This is especially true if you are dealing with sensitive information.
Though Email was invented to deliver messages and share big volume of attachments between communication parties,
It couldn’t ensure data security.
And, unfortunately, it cannot today.
It is crucial for further understanding of how information is being transferred nowadays. And to better acknowledge the overall role email security plays in modern business correspondence, firstly let’s state the email issues.
Although email security has been an issue from the moment SMTP protocol was designed in the distant 1982, the concerns about protection of confidential data have come into existence relatively recently.
And when they (concerns) erupted, many organizations had сlipped their wings.
The following are the examples of the most famous and outrageous data breaches.
Sony Pictures Inc. was damaged from a phishing attack back in 2014. Several executives clicked the link in the email and were redirected to the web page that criminals controlled. Hackers gathered Sony’s executives’ credentials and were able to access Sony’s internal network. By doing this, fraudsters stole 100 terabytes of sensitive data, and $100 million along with them.
The network of Democratic Party was hacked. Spear-phishing email campaign targeted the private mail servers of Hillary Clinton and email accounts of individuals associated with the presidential campaign of hers back in 2016. After gaining access to accounts, hackers stole 50,000 history emails with sensitive details.
In 2016, after the successful whaling attack on FACC Operations GmbH company (an Austrian manufacturer of spare parts for aircrafts), which cost FACC €50 million, the company had sacked both CFO and CEO. FACC fell victim to an email fraud, called Business Email Compromise attack (BEC), that aims on targeting high-level executives with forged emails asking for urgent payments.
In 2017, Equifax announced that its systems had been breached and the personal data of 148 million Americans had been compromised.
The data included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers.
The credit card numbers of approximately 209,000 consumers were also breached.
“Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.”
From the House Oversight Committee report
These types of cyberattacks continue to dwell in the high-risk industries, such as financial, real estate, insurance, and especially law and healthcare businesses, where lots of sensitive data is being sent unencrypted over the Public internet.
An unsecure email is the email in which content is transferred in plain text. Such emails are stored on a one mail server and transferred to the others through open email relays. That means that email contents can be easily exfiltrated, intercepted, exposed, and modified.
There are the weak points where emails can potentially be compromised:
Every unsecured -not to mention unencrypted- email is a potential target for an attacker: it takes only one unprotected server to gain access to your confidential information.
Every link and every connection in this chain must be secured. No exceptions.
Secure Sockets Layer is a protocol where two devices initiate an encrypted communication channel. In other words, the protocol secures email content in transit (at the same time the content itself isn’t encrypted.)
When SSL establishes a connection to a server (which supports SSL protocol), the browser requests an authentication certificate firstly.
Once the certificate is verified, computers negotiate on an encryption method to be used before secure connection to happen.
But SSL/TLS have drawbacks and aren’t completely safe:
Unfortunately, transport protocols aren't a solitary problem of unsecure email.
There are several attributes that determine secure email:
Nevertheless, all those attributes are negated with a single but crucial factor that indicates traditional Email is insecure — absence of cryptographic processing.
You might also be interested in:
Link copied to clipboard!