Email remains any firm’s most important business tool, and 43-trillion emails are sent annually – with company employees each receiving about 100 daily. Yet it is one of the weakest links in terms of cyber security.
“The big problem with email is that it was not designed to be secure. It was designed to be easy to use,” says Dr Aleksandar Valjarevic, head of professional services at LAWtrust, Africa's leading cyber security company, after speaking at the ITweb Security Summit in Midrand today.
“Even as technologies used by businesses change and evolve, such as web-based portals and cloud-based services, email is not going away and it has not changed.”
The weak security that is inherent in email makes it one of the top five business risks that a company could face, because of the type and volume of information exchanged every day.
Cyber security has dominated tech news this week with an unprecedented attack from a ransomware worm called WannaCry. Targets have been successfully exploited in many instances with people clicking on links that give the worm access to the users’ network. The ransomware locks up people’s data with a demand of payment in order to release the data.
It is threats such as these that makes email what cybersecurity professionals describe as “target rich”. This is similar to language used in warfare and means that an attacker has superior means to attack a high number of attractive and poorly defended targets all at once. To be clear, targets are your sensitive and private data, trade secrets, business plans, and the list goes on.
Recent research by the Radicati Group, a technology market research firm, shows that on average, people receive about 100 emails a day. The risks posed by email are often poorly understood within organisations or poorly managed, with low compliance with what are sometimes good IT policies.
“If you think about the information you receive and share on a moment-to-moment basis with people inside and outside your company – maybe pricing direction on a tender, or even your personal information may be in an email for an insurance claim, you will realise how rich the data is and how attractive it is for cyber criminals,” says Valjarevic.
Once the information in the email is compromised, it can wreak havoc with a business and someone’s personal life. Among South African companies there is a growing understanding that it is no longer a case of if their data will be breached, but when.
Passwords, credit card details, sensitive personal and business information are just some of the types of information that are regularly shared by email.
The average cost of a data breach in SA is about R28.6-million, according to the Ponemon Institute. Worldwide, this number is much higher at $4-million.
Much of this cost is related to loss of business and the enormous damage that can be done to a company’s reputation once its security has been breached.
But email doesn’t even need to be hacked to pose a risk. The other problem with email is the habits of people using email.
In a recent study by cybersecurity firm Stroz Friedberg, titled Information Security Risk in American Business, 58% of senior managers admitted that they had accidentally sent sensitive information to the wrong person. Further, only 17% of recipients indicated they had “never” mistakenly sent information to an external third party, while 83% said they didn’t know or frequently had.
There are many ways to improve the safety of email, but these often fail because they are not convenient, or are too complicated to use or too difficult to manage for IT managers. Nevertheless, businesses are clear that ease of use of email services is very important to keep customers happy and to keep businesses functioning, according to the Ponemon Institute.
Along with the clear dangers that email presents, there is also a growing regulatory burden to protect information. Companies in South Africa and those doing business with the EU have about a year to implement their plans to comply with new regulations related to the protection of personal information.
So what can be done?
“As much as possible automate email security solutions, ensure they are encrypted, create quarantine protocols that automatically block emails that shouldn’t leave the organisation,” Valjarevic says.
“The introduction of the Protection of Personal Information Act (POPIA) this year is going to drive an enormous amount of companies to look for solutions that will help them comply with the new law. Finding the right solution that makes compliance easy to measure and report on, will be the key to success,” Valjarevic said.
One of the most shocking findings in the Stroz Friedberg study was that 1% of respondents said they never ignored their company’s email policy.
“As a business owner, you need to ask yourself if 1% of my employees abide by the IT policy, do I want to leave my POPIA compliance to the other 99% of users?” asks Valjarevic.
LAWtrust is the leader in identity-based security in Africa. Founded in 2006, LAWtrust is a trusted secure identity, cryptographic and digital security partner for some of Africa’s largest and highly regulated organisations. LAWtrust is a pioneer in its field, and a recognised expert in compliance and security. Among its clients are leading telecommunications, financial services and industrial companies with cross-border operations, and high-value government departments.