Email is the weak link

July 2017 Editor's Choice, Information Security, Security Services & Risk Management

Email remains any firm’s most important business tool, and 43-trillion emails are sent annually, with company employees each receiving about 100 daily. Yet it is one of the weakest links in terms of cybersecurity.

“The problem with email is that it was not designed to be secure. It was designed to be easy to use,” says Dr Aleksandar Valjarevic, head of professional services at LAWtrust. “Even as technologies used by businesses change and evolve, such as web-based portals and cloud-based services, email is not going away and it has not changed.”

The weak security that is inherent in email makes it one of the top five business risks that a company could face, because of the type and volume of information exchanged every day.

Cybersecurity dominated the news recently with an unprecedented attack from a ransomware worm.

It is threats such as these that makes email what cybersecurity professionals describe as ‘target rich’. This is similar to language used in warfare and means that an attacker has superior means to attack a high number of attractive and poorly defended targets all at once. To be clear, targets are your sensitive and private data, trade secrets, business plans, and the list goes on.

Recent research by the Radicati Group, a technology market research firm, shows that on average, people receive about 100 emails a day. The risks posed by email are often poorly understood within organisations or poorly managed, with low compliance to what are sometimes good IT policies.

“If you think about the information you receive and share on a moment-to-moment basis with people inside and outside your company – maybe pricing direction on a tender, or even your personal information may be in an email for an insurance claim, you will realise how rich the data is and how attractive it is for cyber criminals,” says Valjarevic.

Not if, when

Once the information in the email is compromised, it can wreak havoc with a business and someone’s personal life. Among South African companies there is a growing understanding that it is no longer a case of if their data will be breached, but when. Passwords, credit card details, sensitive personal and business information are just some of the types of information that are regularly shared by email.

The average cost of a data breach in SA is about R28.6-million, according to the Ponemon Institute. Worldwide, this number is much higher at $4-million. Much of this cost is related to loss of business and the enormous damage that can be done to a company’s reputation once its security has been breached. But email doesn’t even need to be hacked to pose a risk. The other problem with email is the habits of people using email.

In a recent study by cybersecurity firm Stroz Friedberg, titled Information Security Risk in American Business, 58% of senior managers admitted that they had accidentally sent sensitive information to the wrong person. Further, only 17% of recipients indicated they had ‘never’ mistakenly sent information to an external third party, while 83% said they didn’t know or frequently had.

There are many ways to improve the safety of email, but these often fail because they are not convenient, or are too complicated to use or too difficult to manage for IT managers. Nevertheless, businesses are clear that ease of use of email services is very important to keep customers happy and to keep businesses functioning, according to the Ponemon Institute.

Along with the clear dangers that email presents, there is also a growing regulatory burden to protect information. Companies in South Africa and those doing business with the EU have about a year to implement their plans to comply with new regulations related to the protection of personal information.

So what can be done?

“As much as possible, automate email security solutions, ensure they are encrypted, create quarantine protocols that automatically block emails that shouldn’t leave the organisation,” Valjarevic says.

“The introduction of the Protection of Personal Information Act (POPI) this year is going to drive an enormous amount of companies to look for solutions that will help them comply with the new law. Finding the right solution that makes compliance easy to measure and report on, will be the key to success.”

One of the most shocking findings in the Stroz Friedberg study was that 1% of respondents said they never ignored their company’s email policy. “As a business owner, you need to ask yourself if 1% of my employees abide by the IT policy, do I want to leave my POPI compliance to the other 99% of users?” asks Valjarevic.

For more information contact LAWtrust, +27 (0)11 731 8238, [email protected],

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

2024 Southern Africa OSPAs winners announced
Editor's Choice
The 2024 Southern Africa Outstanding Security Performance Awards (OSPAs) winners were revealed on Tuesday, June 11th, at the Securex South Africa Seminar Theatre hosted by SMART Security Solutions.

AI and ransomware: cutting through the hype
AI & Data Analytics Information Security
It might be the great paradox of 2024: artificial intelligence (AI). Everyone is bored of hearing it, but we cannot stop talking about it. It is not going away, so we had better get used to it.

Local manufacturing is still on the rise
Hissco Editor's Choice News & Events Security Services & Risk Management
HISSCO International, Africa's largest manufacturer of security X-ray products, has recently secured a multi-continental contract to supply over 55 baggage X-ray screening systems in 10 countries.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

Detecting humans within vehicles without opening the doors
Flow Systems News & Events Security Services & Risk Management
Flow Systems has introduced its new product, which detects humans trying to hide within a vehicle, truck, or container. Vehicles will be searched once they have stopped before one of Flow Systems' access control boom barriers.

Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Do you need a virtual CIO?
Editor's Choice News & Events Infrastructure
If you have a CIO, rest assured that your competitors have noticed and will come knocking on their door sooner or later. A Virtual CIO service is a compelling solution for businesses navigating tough economic conditions.

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.