History of Email Security

Is Email Still Relevant?

We constantly hear people complain about email, saying it’s chaotic, insecure, and a drain on productivity. Some enterprises have even gone so far as to ban emails altogether. Despite the existence of instant messaging, social media apps and client portals, email usage is still increasing, with over 294 billion emails sent every day in 2019.

Emails are an essential tool for consumers. Without an email address, I can't sign up for most e-commerce, banking or social media sites. Without emails, I'd have to download dozens of apps to talk to my friends because a new app seems to pop up every time I check. Worse, half of those apps are unsupported now, so my messages there are lost. In comparison, my Hotmail account from 20 years ago still works and contains an invaluable trail of my past.

If your business is not using email to talk to your customers, it's time to reconsider. Twilio conducted a study on communication preferences in 2020 and found that 83% of consumers prefer to receive business communication over email. Businesses that failed to do so were penalized over 70% of the time through bad reviews or dropped purchases. Email security is a big reason why some companies use secure client portals over email. But what makes emails insecure in the first place?

What Makes Email Insecure?

Business Email Compromise (BEC) & Email Account Compromise (EAC) was ranked the number one Internet crime in 2021 based on the annual FBI Internet Crime Report. In 2021, email compromises caused over $2.4 trillion worth of damages, 28% higher than in 2020. To understand why this is, we must start with how emails work. There will be some technical content ahead; skip ahead to go straight to the solutions.

The email ecosystem consists of four points of interest. First is the Internet protocols (SMTP, IMAP/POP), which specify how emails should be exchanged. Then you have the service providers (e.g., Gmail, Office365, ISPs) and endpoints (e.g., MacBook, Android phone) that implement the email protocols. Lastly, you have the senders & recipients involved in the email exchange.

An email compromise can occur in each of these four points of interest.

Protocol weaknesses

SMTP, POP and IMAP protocols were all invented in the early days of the Internet. In those days, the Internet was only accessible to a select few with access to facilities controlled by universities and governments. Protocol security was unnecessary because physical access controls were sufficient at the time.

It wasn't until the 90s, after Netscape popularized SSL, that email protocols started to encrypt messages in transit. Then, in the late 2000s, Yahoo adopted a new set of email protocols, SPF, DKIM and DMARC, which helped verify the identity of email senders.

Unfortunately, the adoption of secure email protocols was slow. After over 20 years of SSL/TLS support, only 89% of emails were encrypted in transit. We see even less adoption of the relatively newer authentication support. Asian and African countries are lagging behind the adoption curve, with major email providers like Alibaba (China), NetEase (China), Yahoo (Japan) and FCMB (Nigeria) still operating without encryption.

Political control may explain why some countries, like China, hesitate to implement encryption. Another reason adoption is hard is that email is an open protocol. Anyone can set up an email server and send/receive emails, but not everyone is incentivized to upgrade their email server. The number of active email accounts crossed the 100 million mark by the late 90s. It is no wonder why email protocols are not secure even to date.

Service Provider and Endpoint weakness

Email providers like iCloud, Gmail, Outlook and Yahoo! make it so simple that it feels like everyone and their grandma is using them. Not only that, these are all fortune 500 companies, so it's easy to trust them to keep your emails safe. But under the hood, these email providers simply operate software that uses email protocols. Hackers love compromising emails because (1) it contains a treasure trove of private information, and (2) emails can be shared quickly, making them a logistical highway for spreading malware.

‎In March 2021, a Chinese hacking group exploited four vulnerabilities on Microsoft Exchange servers to extract email contents from over 30,000 organizations. Above is an exchange between the former director of the Cybersecurity & Infrastructure Security Agency (CISA) and the White House National Security Advisor (NSA).

Microsoft, one of the leaders in cybersecurity with billions of dollars of budget, failed to secure email servers. It's hard to imagine how anyone can. While it can seem impossible to airgap email servers, ensuring your smartphone is secure is even more challenging. With hundreds of apps running on the same device, an exploit in any app can compromise the security of your emails.

Human weakness

Phishing is the most common email attack. It involves a legitimate-looking email asking recipients to hand over personal, financial or login credentials. Human decision-making is the target of this attack.

The phishing email above uses several tactics like authority, time pressure, tone of voice and personalization to influence human psychology. Scammers can manipulate readers to act under false assumptions by instilling a sense of trust and fear. In 2021, over 323k people fell victim to this type of attack.

An IBM Security Services paper published in 2014 concluded that “95% of cyber attacks and events involve preventable human error and behavior weakness”. This number suggests that users are vulnerable, independently of exploits found in platforms and software. Psychological explanations for this include:

1. Availability heuristic: if you can't recall it, it must be unimportant
2. Normalcy bias: refusal to plan for a disaster that has never happened
3. Optimism bias: overestimating favorable and pleasing outcomes.

In the end, users do not believe cybersecurity is essential and leave themselves open to attacks. Even basic security hygiene is ignored, like using a strong password and not oversharing sensitive information.

Is There Hope for Email Security?

A quick search for "email security product" on Google returned 1.9 billion results, but emails continue to get hacked. Why? I believe it comes down to two things: the overwhelming number of ways emails can get hacked and the complexity of security solutions.

It Only Takes One

A scammer can try to attack your email account in many different ways. You must successfully defend against all possible attacks to win, but the scammer only needs one successful attack to take over your account. The situation can feel futile, but it's still worth trying.

Consider a bank that uses steel doors to protect its assets. If a robbery occurs in another bank with steel doors, should they deem steel doors useless? No, their steel doors still defend against most thieves. Email security is similar and it's not all or nothing. You can drastically improve your email security posture by doing some simple things.

Choose an email provider with built-in security (e.g., Gmail, Outlook)

• Phishing protection and spam filters reduce the number of malicious emails that reach your inbox.
• Anti-virus scanning on attachments and URL scanning on email links minimize the likelihood of malware.
• Support for encryption in transit and at rest and authentication mechanisms like SPF, DKIM, and DMARC.
• Login protection like two-factor authentication, activity logs and recovery accounts.

Protect your login

• Use a unique and complex password. A password manager makes this easy and only costs two or three dollars a month.
• Set up two-factor authentication and never disable it.
• Be careful with what information you share online or on social media. Scammers can get all the information they need to guess your security questions from things you share openly online.
• Don't use public computers to check your emails.

Beware of email scams

• Don't click on anything in an unsolicited email asking you to update or verify account information. Look up the company's contact yourself and call them to see if the request is legitimate
• Carefully examine the email address, URL, and spelling used in correspondences. Scammers use slight differences to trick your eye and gain your trust.
• Never open an email attachment from someone you don't know, and beware of email attachments forwarded to you.
• Be wary if the sender is pushing you to act quickly.

The tips above help protect individual email accounts but businesses have a number of employees and deal with large amounts of sensitive data. Email security for businesses require more advanced solutions.

Email Security for Business

Businesses not only have to worry about hackers outside of the organization but also employees and contractors that have access to customer data. Establishing company-wide processes to restrict sensitive data from being sent is a crucial part of data security strategy.

Data Loss Prevention (DLP) is a type of software that prevents sensitive data from being lost, misused or accessed by unauthorized users. Traditionally, email DLPs are configured by IT administrators on the company email servers. These configurations can include rules like "block all correspondences from a domain" or "alert when someone sends a 16-digit number". Creating and maintaining these rules is a resource-intensive task. Imagine if IT configures a rule that prevents emails from being sent to a domain, but a contractor needs it for work. What happens when a loan company frequently sends 16-digit loan numbers that look similar to credit card numbers?

New DLP solutions use machine learning to determine how members of your company communicate and the context behind every interaction. Machine learning works by processing large amounts of data to recognize patterns in the employee's communication patterns. For example, "my SSN is 123456789" and "call me at 123456789" both contain the same number, but one refers to SSN and the other phone number. With machine learning DLP, no rules are required.

Strac uses natural language processing (NLP) to extract insights about the content of emails. In the simple example above, it is able to differentiate between what the two numbers are based on its context. Our machine learning model has been trained on millions of emails, rich in information on the kind of data people send and receive daily. And they continue to evolve over time. This enables Strac to determine in real-time sensitive data elements in emails. Once detected, sensitive data is removed from emails and isolated into a secure vault accessible only by authorized users.

Having zero sensitive data in the email ecosystem vastly improves security and simplifies compliance audits! Another interesting way to use Strac is as a replacement for secure client portals. As mentioned in the beginning of the article, 83% of consumers prefer to receive business communication over email. With Strac, it is possible to do this even for businesses exchanging sensitive data.

For more information on Strac, please visit the Strac Email Auditor demo on Product Hunt or visit us at strac.io.

‎