Emails are extremely vulnerable. No large corporation, small business, or politician can guarantee their emails are safe.
91% of intrusions are committed via email.
Given its inherent weaknesses, it’s not hard to see why cybercriminals are constantly using email for WannaCry, Petya, and Lazarus attacks to penetrate victims’ infrastructures.
Legal Compliance and
million or up to 4% of annual global turnover as a fine, whichever of both is highest.
The average number of active lawsuits against companies is striking (for $1 billion plus companies in the US).
The wrong choice of security solutions may lead to severe fines, imprisonment, and litigations.
Companies may face severe penalties (up to €20 million) under new EU GDPR (General Data Protection Regulation) for not safeguarding personal data.
Organizations are required to comply with the 'Privacy by Design' principle (Article 25) and must notify regulators any time a data breach takes place. That could happen literally any time an employee sends a Regular Email using a common SMTP. New GDPR regulations elevate SMTP and Email problems to boardroom levels in countries that accept GDPR laws (The European Union, Australia, and others).
Email is inherently insecure by its very design because it is sent and received according to SMTP (Simple Mail Transfer Protocol).
This protocol sends Email content and attachments in Plain unencrypted text over the Public Internet, and this protocol is still used to send sensitive data.
This is one of the biggest challenges to privacy, data security, and GDPR, HIPAA, GLBA, and SOX compliance.
Any confidential Email and its attachments are transferred as Plain unencrypted text via untrusted 3rd party mail relays (Public Internet).
Even if a connection was protected by HTTPS using SSL/TLS, all transferred data could be decrypted and stored/changed at ISP (Internet Service Provider), or mobile network operators in airports and coffee shops.
Additional encryption doesn’t completely remove the risks, either, as the message could still be collected for cryptanalysis.
“SMTP servers and clients normally communicate in the clear over the Internet. In many cases, this communication goes through one or more routers that are not controlled or trusted by either entity.”, P. Hoffman, Internet Mail Consortium, RFC 3207.
Human error is always the weakest link in an otherwise secure perimeter of any company. With the increased complexity of IT infrastructures and software, the cost of human error could be enough to take the entire company down.
SMTP and SSL vulnerabilities combined with human errors create nearly unlimited risks for data breaches. It is not surprising that 91% of attacks begins with Email.
Threats of Existing Solutions
Although many solutions claim to solve certain Email threats, there are numerous security and compliance holes that should be understood before using such solutions.
Lack of Encryption
A Company's data might be stored in an unencrypted state.
Fines, Penalties and Leagal Actions
Against Executive Officers
According to many existing regulations, a company’s executive officers could be personally fined and imprisoned for noncompliance.
GDPR - Up to €20 million, or 4% of the worldwide annual revenue whichever is higher.
SOX - Up to $5 million in fines, and individuals responsible can face up to 20 years in prison for noncompliance.
HIPAA - Up to $250,000 per incident, and individuals responsible can face up to 10 years in prison for noncompliance.
GLBA - Executive officers can be fined up to $10,000 for each violation and face up to 5 years in prison for noncompliance.
Ignoring Email threats
Cyberattacks, data breaches, and leaks have ended the careers of many top executives. Again and again, headlines announce that yet another top executive has lost their position because of an underestimation about the severity of existing Email threats.
Major Email Threats
Email protocol weaknesses
No real encryption
No Key Ownership