There is one group, however, that has a lot more love for email than hate. That group is cybercriminals.
If we look through the past few years for the common thread in the landslide of data breaches, we will find that employee email is the scarlet thread running through them all. Email data breaches were the main cause of critical data loss in financial, legal and professional firms in 2017. Unfortunately, email has become one of the business world’s greatest liabilities and the gateway to both computer network and data compromise.
Insecure by Default
Electronic mail is old, in internet years. And it was originally designed in the 1970s to be insecure by default. Why? Here’s a brief history:
RFC (Request for Comments) 821 was the first technical paper explaining SMTP (Simple Mail Transfer Protocol) and was written in 1982 when the security and privacy of email communications weren’t really a concern. Email was designed as a plaintext protocol, meaning the message’s content was visible to anyone in between the sender and the destination. Especially telling is the fact that the word “security” doesn’t even appear in the original RFC 521. This means that every security feature that we now have in email is optional and has been added over time.
The way forward is a well-thought-out blend of technology and awareness training for email users. Employees need to know what to look for regarding criminal email bait.
In my years as an ethical hacker, here are some of the tips I provide businesses:
- Minimize the use of your email inbox as a filing cabinet. If your email inbox is ever compromised, you want it to be as inconsequential as possible.
- Training. 95 percent of all cybersecurity incidents involve human error. Employee training is vital to the health of all organizations, large and small.
- Multifactor. 65 percent of cybersecurity attacks could have been prevented with multifactor authentication, yet only 45 percent of organizations use it today. Moral of this story? Multifactor authentication is a powerful tool that works.
- Don’t just click. If the email you receive contains links, attachments, or requests for information and you weren’t expecting them, do not click on them without investigating. One way to do this is to verify the actual email address of the sender (not merely the display name).
- Public info. Cybercriminals will use public information about you, your employer, or company to gain your trust and appear credible. Take time to do an online search of yourself and your employer. Not only will you be better prepared, you might also be surprised at what you find.