Why it’s time to rethink email security

Should members of the U.S military who click on phishing emails be court-martialed? Admiral Michael Rogers thinks so. As director of the National Security Agency, he’s dealing with a hack of the Pentagon’s Joint Staff network that was enabled by four people who fell for phishing emails.

“When I looked at the email, I said: ‘Why would you have opened this? It makes no sense,’” Adm. Rogers recently told The Wall Street Journal. “And the answer I got was: ‘It was early in the morning. It was a Monday. I’m just blowing through my emails.’

“If someone had said to me: ‘Hey, it’s lonely on post. It’s the middle of the night out in the middle of nowhere. I just pulled my gun out because I wanted to quick draw,’ we would never accept that. So why are we willing to accept this kind of behaviour in the cyber world?”

That blunt assessment should be food for thought for any organisation that uses email – in other words, everyone. Email’s ubiquity enables hackers to cast a wide net and as the Pentagon example shows, the amount most workers receive increases the chances that phishing and other attack methods will succeed.

But there’s another key aspect that many CIOs, CSOs and IT managers overlook: email is a gold mine of information that facilitates a wide variety of subsequent attacks. For example, a new employee might use email to provide HR with her dependents’ names and Social Security numbers. That information enables identity theft. Less obvious is how it also opens back doors to personal and professional data if she uses those names as passwords or as responses to security challenges. The risks multiply even further if HR sends her links to set up employer-related accounts, such as everything from health insurance to the corporate LAN.

It gets worse: most people don’t delete messages once they’ve sent them, which means the confidential personal and professional information they contain is there for the taking for any hacker who manages to get in. This confidential information in email could linger for months, years or forever, depending on whether her employer’s IT policies automatically purge messages after a certain time (if they purge at all). She’ll also probably archive HR’s messages so she has those links and other information handy, which means more valuable data for hackers.

If that sounds scary, it is. But practically every week, there’s a headline about a high-profile email hack, which shows that too many enterprises, government agencies and other organisations are growing complacent or simply desensitised. That increases the likelihood that they’ll eventually make headlines, too – or even have a law nicknamed after their organisation because the breach was too big and too embarrassing for Congress to ignore.

Hyperbole? Imagine a hack of thousands or millions of patient accounts that was enabled because a single internal email contained that database’s login information. Actually, you don’t have to imagine it because it’s happened so many times. One example is the University of California Davis Health System, where a single physician’s email account stored 1,326 patients’ information. They’re now among the roughly 39 million patients nationwide whose health information has been hacked so far, according to the Department of Health and Human Services.

How to Fight Back

The good news is there’s no shortage of proven technologies and best practices for securing email and, in turn, all of the databases, networks, accounts and other things that those messages touch. These technologies and practices are applicable and effective in nearly every vertical, and in many cases, they’re becoming must-haves to ensure compliance with laws such as HIPAA and SEC regulations.

Encryption should be at the top of the list. It’s ironic: organisations typically back up their email servers because they recognise that the information they contain is so important to their operations, yet they frequently don’t go a step further to encrypt that valuable data.

Ideally that encryption should be applied end to end: when messages are in transit and when at rest on servers and devices such as desktops and laptops. Don’t overlook tablets and smartphones, which are the preferred, or sometimes only, devices that employees use for email. In fact, the proliferation of mobile devices in the workplace exponentially increases the need for technologies such as encryption. One reason is because unlike desktops, tablets and smartphones are portable and thus easily lost or stolen. On-device encryption secures the messages they store.

Organisations also should look for mobile device management (MDM) platforms that can remotely lock and erase lost and stolen phones and tablets, as well as enforce security policies. For example, when employees open an email attachment on their mobile device, that document often is then stored in RAM. An MDM platform could be used to enforce a policy that prevents email attachments from being stored on the smartphone or tablet so they can’t be accessed by someone who finds or steals the device.

By minimising the chances that email and other systems will be breached, an MDM platform can save organisations a significant amount of money, such as legal fees, compensation for affected customers and marketing to restore a sullied brand (or even to maintain brand status quo). Industry- and country-specific regulations can further increase an MDM platform’s ROI when it’s used to enable compliance. Two examples are financial services firms and health care providers that use MDM platforms to securely archive messages such as trade orders and prescriptions.

No one wants someone else peering into their email. But without security, privacy cannot exist. By securing their email, organisations can provide the privacy that they and their employees want – and that hackers hate.

K Royal, Vice President, Assistant General Counsel, CellTrust Corporation

Image source: Shutterstock/bluebay