Is Your Email Secure?

By Randy Johnston

How safe is your email? How do you know the contents are being delivered securely and without modification? Worse, how do you know your email is not being used as a gateway to attack your clients? While reflecting on the statistic that 91% of attacks start with email, it is clear that many of you think your email systems are safe. Remember that email by definition is sent in clear text, like a postcard, and even with the server enabled secure hand-off, called TLS, not all email is delivered using these secure techniques. One layer of security was probably enough before most businesses and bad actors were connected to the Internet to protect secure information. Today, more is needed.

In the early days of computing, we did not have such broad access to the Internet as we do today. Our expectations include access to email from anywhere at any time. You also might conclude that because you are hosted on Office 365 email, that your email is safe and available at all times, but you may not have noticed that email can go offline during maintenance windows or can be unavailable during production hours for other reasons. Is access to your email, regardless of provider, always available, particular at time-sensitive deadlines? Safer, perhaps, but certainly not safe. Cars are safe, too, until they’re not. In the early days of cars, we didn’t have seat belts, break away cabins for crash protection or guard rails in the doors. Car manufacturers concluded that multiple layers of protection were needed. Do you need multiple layers of protection for your email?

What Are The Risks?

Since email messages are sent via the Internet, they can be intercepted in transit. Bad actors are now routinely trapping messages, creating fake messages that resemble the original, often in great detail including patterns that you normally use in your speech and writing styles. Although there are no reliable statistics to back up this claim, our conference and all day class CPA attendees have reported millions of dollars transferred from business accounts using these techniques in the past year alone. Typical reported losses are between $250,000 and $500,000. Outside experts estimate that there are over a billion dollars of losses through these techniques, which are often not reported because of potential reputation damage to the business. On the flip side, consider that if you are a hacker working these schemes from your parent’s basement. It only takes one success to be set for life. You may think a fraud like this can never happen to you, but consider how often you have driven a car. Have you ever had an accident?

Attacks that were common in the 1990’s, such as Microsoft Office macro virus attacks, are back again. When an Office document or PDF is sent to you, how do you know that it is safe? Consider your HR department. Isn’t it their job to request documents from a variety of people and sources that, by definition, are not currently known to your organization? All it takes is one email or one document to plant a link inside your systems that allows outside access. It does not matter whether you are cloud-based or have a premise-based network, you can get an infection from email attacks. Products that provide spam filtering, today, can scan these documents and clean them up before delivery. For example, Mimecast has a feature called Attachment Protect that does on-demand document conversion and pre-emptive sandboxing. This feature will look at a Word document, and automatically convert it to PDF format to eliminate the possibility of any macro viruses. After a safe review of the PDF, you can request the original document from Mimecast servers. This is safer, faster and better than a manual contact of the sender to confirm that the document you have received is legitimate.

Consider the training required to make sure users don’t click through malicious links. The median time to click on a link today is one minute, 22 seconds. 50% of people who click a link will do so in the first hour. Even with adequate training, users routinely make this mistake. What if you receive an email from a known associate or client with a link or a document? Do you have enough training in each user that no one will make the mistake of clicking when they should not?

We believe you are at risk if: 1) You have an M in your company name, which can readily be substituted for another letter like n. You showcase your senior employees, and put their information on your web site or have a marketing program where employees are frequently covered by the press. 2) You accept resumes on your website as part of your recruiting efforts, since documents submitted by nefarious players are frequently infected with malware. 3) You pay bills by wire transfer where your traffic can routinely be monitored by Internet tools and your credentials captured for later use. 4) You have a team in finance, since documents are frequently moved between teams in Microsoft Office or PDF format. 5) You have a LinkedIn profile where your information is publically accessible, and you have a policy of accepting all invitations since bad players can link to your account through an invitation. 6) Your life is deemed interesting enough to be on Facebook, providing hackers much of the information they need to compromise your business network or personal accounts. If you have already seen a LinkedIn invitation where “Sorry, this profile couldn’t be displayed” has appeared, it may already be too late for you, since you have witnessed a bad actor attempting to social engineer your identity. Spear phishing and whaling, that is going after bigger executive targets, are very well researched today.

What Are The Solutions?

Your organization has to choose and implement email protection. This can come in a variety of forms. We suggest that encryption and email filtering are the current minimum best practices to have in place. It is wiser to have a comprehensive email security system. Much discussion revolved around spam control ten to fifteen years ago, and the number of providers and options in this area have been reduced drastically. In fact, many of you have been informed you must switch products because of a discontinuance. Email filtering goes beyond spam protection by providing three layers of email security: 1) checking URL (links) dynamically to prove zero-day attack protection and data loss prevention (DLP), 2) having active attachment protection, and 3) having impersonation protection to detect malware and phishing attempts in addition to the more traditional key word checking. One example of a provider that solves multiple problems is Mimecast. Their service has various features built in with options to add even more protection. You can start with comprehensive email protection, and expand the coverage of the product to include automatic email signature and disclaimer information, email and instant message archiving and more. Mimecast’s cloud-based solution is available for Office 365, premise-based Exchange and Google Suite. Further, Mimecast provides a 100% SLA on email availability; meaning that when your primary email is unavailable for some reason, particularly during mission critical deadlines, you still have access to email through Mimecast’s servers. On the other hand, you can choose products that do one task, such as Zix for email encryption, or a product that does a few tasks such as Reflexion that does spam filtering and encryption, but neither of these products has all of the layers for protection that Mimecast has available. Other vendors, such as Symantec, will try to expand their coverage from anti-virus to include more features, but these products will typically slow performance of key products such as tax or accounting software.

Studies on akrasia have shown that we act against one’s better judgment on our future self and have done so since ancient Greek times. The main error you can make on email protection is the one that stops you making the decision to protect yourself. While you can keep your head in the sand, it won’t help you stop yourself from being the next big data breach. Applying at least three layers to your email security strategy is the only way to stop yourself from being the next big breach, unless, of course, you are comfortable with the single protection of sitting in a car with no doors, roof, or seatbelts, on a frantic freeway.

Randy Johnston is a K2 Enterprises Shareholder. K2 provides technology CPE for your state society in the form of technology conferences, all day courses and webinars. Mr. Johnston has been advising technology publishers and consulting clients for over 40 years.