printer friendly version

Email is the weak link

Email remains any firm’s most important business tool, and 43-trillion emails are sent annually, with company employees each receiving about 100 daily. Yet it is one of the weakest links in terms of cybersecurity.

“The problem with email is that it was not designed to be secure. It was designed to be easy to use,” says Dr Aleksandar Valjarevic, head of professional services at LAWtrust. “Even as technologies used by businesses change and evolve, such as web-based portals and cloud-based services, email is not going away and it has not changed.”

The weak security that is inherent in email makes it one of the top five business risks that a company could face, because of the type and volume of information exchanged every day.

Cybersecurity dominated the news recently with an unprecedented attack from a ransomware worm.

It is threats such as these that makes email what cybersecurity professionals describe as ‘target rich’. This is similar to language used in warfare and means that an attacker has superior means to attack a high number of attractive and poorly defended targets all at once. To be clear, targets are your sensitive and private data, trade secrets, business plans, and the list goes on.

Recent research by the Radicati Group, a technology market research firm, shows that on average, people receive about 100 emails a day. The risks posed by email are often poorly understood within organisations or poorly managed, with low compliance to what are sometimes good IT policies.

“If you think about the information you receive and share on a moment-to-moment basis with people inside and outside your company – maybe pricing direction on a tender, or even your personal information may be in an email for an insurance claim, you will realise how rich the data is and how attractive it is for cyber criminals,” says Valjarevic.

Not if, when

Once the information in the email is compromised, it can wreak havoc with a business and someone’s personal life. Among South African companies there is a growing understanding that it is no longer a case of if their data will be breached, but when. Passwords, credit card details, sensitive personal and business information are just some of the types of information that are regularly shared by email.

The average cost of a data breach in SA is about R28.6-million, according to the Ponemon Institute. Worldwide, this number is much higher at $4-million. Much of this cost is related to loss of business and the enormous damage that can be done to a company’s reputation once its security has been breached. But email doesn’t even need to be hacked to pose a risk. The other problem with email is the habits of people using email.

In a recent study by cybersecurity firm Stroz Friedberg, titled Information Security Risk in American Business, 58% of senior managers admitted that they had accidentally sent sensitive information to the wrong person. Further, only 17% of recipients indicated they had ‘never’ mistakenly sent information to an external third party, while 83% said they didn’t know or frequently had.

There are many ways to improve the safety of email, but these often fail because they are not convenient, or are too complicated to use or too difficult to manage for IT managers. Nevertheless, businesses are clear that ease of use of email services is very important to keep customers happy and to keep businesses functioning, according to the Ponemon Institute.

Along with the clear dangers that email presents, there is also a growing regulatory burden to protect information. Companies in South Africa and those doing business with the EU have about a year to implement their plans to comply with new regulations related to the protection of personal information.

So what can be done?

“As much as possible, automate email security solutions, ensure they are encrypted, create quarantine protocols that automatically block emails that shouldn’t leave the organisation,” Valjarevic says.

“The introduction of the Protection of Personal Information Act (POPI) this year is going to drive an enormous amount of companies to look for solutions that will help them comply with the new law. Finding the right solution that makes compliance easy to measure and report on, will be the key to success.”

One of the most shocking findings in the Stroz Friedberg study was that 1% of respondents said they never ignored their company’s email policy. “As a business owner, you need to ask yourself if 1% of my employees abide by the IT policy, do I want to leave my POPI compliance to the other 99% of users?” asks Valjarevic.

Share this article:

Further reading: