Rick Goud describes why email is a major information security problem, and how this risk can be managed.
In the first quarter of FY 2020-21, outbound email was a significant cause of leaks reported to UK's Information Commissioner’s Office (ICO): data sent to the wrong recipients accounted for 28%, and putting recipients in the ‘Cc’ instead of ‘Bcc’ email field accounted for 6%. Data leaks due to inbound email including phishing and malware ‘only’ contributed to 14% of data leaks.
These statistics show a real and urgent need for better email data protection, both to help employees more easily safeguard the information they send – thereby reducing the pervasive ‘insider threat’ of human error , and to protect emailed data from unauthorised access by malicious outsiders.
Security and emailed data
Why is security a problem when emailing data? It's because things can go wrong for many reasons when people send information via email. Those reasons include:
- Lack of transport protection: Email has opportunistic encryption, meaning that users can make it try to encrypt an email in transit, but with no guarantee it will succeed. TLS alone is not enough to have transport security. The protocol that best enables encryption is DANE, which most email systems do not yet support. In addition, email has no fall-back mechanism, meaning that if transport security is not possible, the message is just not delivered; and that, of course, is unacceptable.
- Lack of storage protection: Email via cloud solutions are mostly not encrypted properly at rest – and no organisation wants their email vendor to be able to access their information. Of course, most of them use encryption; but the challenge with encryption is not the the process of encrypting, it's the key management. With nearly all cloud email providers, including Microsoft and Google, an organisation’s keys, or copies or derivatives of them, are stored in their provider’s system. This makes the keys vulnerable to insider threats, attractive to hackers and subject to governmental subpoenas.
- Lack of authentication: With sensitive data, organisations want to make sure that only the intended recipients can access their information. Not someone who has access to an individual’s mailbox, whether intentional (spouse or secretary) or unintentional (hackers targetting free email services or weak passwords). This is where two-factor authentication (2FA) comes in to play. With 2FA users need to enter an additional SMS or time-based code to prove it is really them. With most email systems, however, users are not able to protect their messages with 2FA. Microsoft Office 365 doesn't enable this, nor does Mimecast, nor any other big vendors. Only Google, enables users to do so with its ‘Confidential mode’. This, however, has limited functionality and suboptimal usability for both the sender and the recipient.
- Lack of read indicators: If an employee sends sensitive data, they want to know if the recipient received or accessed the information. But again, this is often not part of email communication process.
- Lack of retraction possibilities: If a user made a mistake, e.g. misaddressed an email or sent the wrong attachment (errors which are, by far, the biggest causes of data leaks), they will want to be able to retract access to that message. Again, this is difficult with email. Possible with Outlook and Gmail, yes, but without any guarantees that it succeeded.
It's clear that email lacks nearly all the security-related aspects an organisation needs to achieve safe digital communications. Thankfully, there are several user-friendly, cost-effective digital tools available to address email’s security shortfalls. Best-practice solutions also enable compliance with evolving data protection regulations, including the DPA and GDPR.
Prevent data leaks at every stage of email
To overcome outbound email’s security challenges, it is necessary for organisations to find a solution that protects data throughout the entire communication journey, i.e. before, during and after each email is sent.
Before transmission. Security incident reports by European data privacy authorities, including the UK’s ICO, show that most data leaks happen before transmission. Specific causes include:
- Auto-completion functionalities of email clients accidentally adding the wrong recipient.
- Attaching a file that contains sensitive information the user is unaware of.
- Users not being aware that the information they are sharing is sensitive.
- Exposing recipients contact details by failing to use ‘Bcc’.
Tackling such outbound email errors requires a solution that combines real-time data classification, the ability to raise user awareness, recipient contextualisation, and communication evaluation.
On-the-spot data classification, for example, means that while an email is being composed, the system will classify the type of information users intend to share. This applies to both the email text plus any attachments. In addition, AI and dictionary-based classifiers can be used to detect medical, legal, financial, or personal information, as well as national insurance or credit card numbers. Based on the data classification assessment, the user can be notified about any anomalies before the email is sent via a non-intrusive alert.
During sending. Applying zero-knowledge, guaranteed message encryption and strong two-factor authentication - via a SMS text message or TOTP-code, for example - across all email content is the most effective way to prevent unauthorised access during sending.
After sending. Real-time logging allows organisations to identify immediate risks and potential data leaks after sending. It can also limit the impact of unintended data exposure by allowing senders to retract messages, plus shows if the message and attachments were accessed, and by whom.
People-focused technology enables safer emails
With unencrypted emails and lack of strong authentication adding to the already significant human error risk in terms of unauthorised data access via email, it is time for organisations to re-evaluate the security of their outbound email.
When choosing an appropriate solution, ease of use is essential, to ensure the productivity of employees is not disrupted. The best approach is to allow staff to continue using their familiar email environments, such as Outlook or Gmail, so they don’t have to change their usual way of working. The security tools you select must therefore take account of this.
We believe that optimising email data protection requires the right blend of technology and human input. Enterprises, therefore, need to provide employees with the most user-friendly and robust secure email solution; one which is best suited to their current working environment. This will help workers to make better and safer decisions when emailing sensitive information, unlocking their potential, because - ultimately - people are the key to protecting an organisation’s data.
Rick Goud is CIO and Founder of email security specialists Zivver. Zivver’s secure email functions seamlessly with Outlook. Zivver for Gmail has recently been launched to cater for the growing number of organisations using Google Workspace worldwide.
Main image courtesy of iStockPhoto.com