Email is the weak link

July 2017 Editor's Choice, Information Security, Security Services & Risk Management

Email remains any firm’s most important business tool, and 43-trillion emails are sent annually, with company employees each receiving about 100 daily. Yet it is one of the weakest links in terms of cybersecurity.

“The problem with email is that it was not designed to be secure. It was designed to be easy to use,” says Dr Aleksandar Valjarevic, head of professional services at LAWtrust. “Even as technologies used by businesses change and evolve, such as web-based portals and cloud-based services, email is not going away and it has not changed.”

The weak security that is inherent in email makes it one of the top five business risks that a company could face, because of the type and volume of information exchanged every day.

Cybersecurity dominated the news recently with an unprecedented attack from a ransomware worm.

It is threats such as these that makes email what cybersecurity professionals describe as ‘target rich’. This is similar to language used in warfare and means that an attacker has superior means to attack a high number of attractive and poorly defended targets all at once. To be clear, targets are your sensitive and private data, trade secrets, business plans, and the list goes on.

Recent research by the Radicati Group, a technology market research firm, shows that on average, people receive about 100 emails a day. The risks posed by email are often poorly understood within organisations or poorly managed, with low compliance to what are sometimes good IT policies.

“If you think about the information you receive and share on a moment-to-moment basis with people inside and outside your company – maybe pricing direction on a tender, or even your personal information may be in an email for an insurance claim, you will realise how rich the data is and how attractive it is for cyber criminals,” says Valjarevic.

Not if, when

Once the information in the email is compromised, it can wreak havoc with a business and someone’s personal life. Among South African companies there is a growing understanding that it is no longer a case of if their data will be breached, but when. Passwords, credit card details, sensitive personal and business information are just some of the types of information that are regularly shared by email.

The average cost of a data breach in SA is about R28.6-million, according to the Ponemon Institute. Worldwide, this number is much higher at $4-million. Much of this cost is related to loss of business and the enormous damage that can be done to a company’s reputation once its security has been breached. But email doesn’t even need to be hacked to pose a risk. The other problem with email is the habits of people using email.

In a recent study by cybersecurity firm Stroz Friedberg, titled Information Security Risk in American Business, 58% of senior managers admitted that they had accidentally sent sensitive information to the wrong person. Further, only 17% of recipients indicated they had ‘never’ mistakenly sent information to an external third party, while 83% said they didn’t know or frequently had.

There are many ways to improve the safety of email, but these often fail because they are not convenient, or are too complicated to use or too difficult to manage for IT managers. Nevertheless, businesses are clear that ease of use of email services is very important to keep customers happy and to keep businesses functioning, according to the Ponemon Institute.

Along with the clear dangers that email presents, there is also a growing regulatory burden to protect information. Companies in South Africa and those doing business with the EU have about a year to implement their plans to comply with new regulations related to the protection of personal information.

So what can be done?

“As much as possible, automate email security solutions, ensure they are encrypted, create quarantine protocols that automatically block emails that shouldn’t leave the organisation,” Valjarevic says.

“The introduction of the Protection of Personal Information Act (POPI) this year is going to drive an enormous amount of companies to look for solutions that will help them comply with the new law. Finding the right solution that makes compliance easy to measure and report on, will be the key to success.”

One of the most shocking findings in the Stroz Friedberg study was that 1% of respondents said they never ignored their company’s email policy. “As a business owner, you need to ask yourself if 1% of my employees abide by the IT policy, do I want to leave my POPI compliance to the other 99% of users?” asks Valjarevic.

For more information contact LAWtrust, +27 (0)11 731 8238, robyn@lawholdings.co.za, www.lawholdings.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
What you can expect from digital identity in 2024
Access Control & Identity Management Security Services & Risk Management
As biometric identity becomes a central tenet in secure access to finance, government, telecommunications, healthcare services and more, 2024 is expected to be a year where biometrics evolve and important regulatory conversations occur.

Read more...
AI-driven identity verification for access control
C3 Shared Services Editor's Choice
Facial authentication solutions combine advanced AI and 3D sensing technologies with ease of use to create a frictionless, touchless experience. The deployment of this technology in an access control system keeps users and administration moving.

Read more...
Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

Read more...
The promise of mobile credentials
Technews Publishing Suprema neaMetrics HID Global Editor's Choice Access Control & Identity Management IoT & Automation
SMART Security Solutions examines the advantages and disadvantages of mobile credentials in a market dominated by cards and fobs, in which biometrics is viewed as a secure alternative.

Read more...
Zero Trust and user fatigue
Access Control & Identity Management Information Security
Paul Meyer, Security Solutions Executive, iOCO OpenText, says implementing Zero Trust and enforcing it can create user fatigue, which only leads to carelessness and a couldn’t care attitude.

Read more...
Passwordless, unphishable web browsers
Access Control & Identity Management Information Security
Passkey technology is proving to be an easily deployed way to bring unphishable, biometric-based security to browsers; making identification and authentication much more secure and reliable for all parties.

Read more...
PQC, AI & sustainability: five cybersecurity trends for 2024
Editor's Choice
In this article, Nils Gerhardt looks at some of the most important developments that Utimaco experts see coming in 2024, both in technology and the wider world it intersects with.

Read more...
Protecting your business in the digital economy
Editor's Choice
Conducting business in the digital age has never been more challenging. In the Zero Trust cyber security model, nothing is more important than proactively safeguarding enterprise data.

Read more...