And I mean that quite literally: it is the major thoroughfare of information entering and exiting a corporate network. Today, basically every organization depends on email as an important form of communication. Whether it’s to send and and receive emails from vendors, customers, or co-workers, email is a cornerstone to a corporate information system.
It is also under constant attack. I am talking about spam, phishing, and the more advanced cousin spear-phishing. Criminals exploit the vulnerability of email everyday. The craftier and newer the attack the more likely it is to outwit defense technologies like firewalls and “anti” software. End users, regular people doing regular jobs, are often the last line of defense.
But people have weaknesses. People are overworked and underpaid. People are divided, trying to do a million things at once while thinking about a hundred others. In most people haven’t developed the level of intuition about email security that is required to effectively protect against devious attacks. People make mistakes. Avoidable mistakes.
Written policies on email security are all well and good, but how are they being enforced? The truth is, they aren’t. The way email systems are structured today provides companies little options to technically enforce policies. The onus falls back on the tired, distracted employee to make the right security decision.
It’s a game of chance. It’s a dangerous game of chance that can have devastating consequences. I wrote last week about the effects of the Target data breach, not only on Target, but on the entire US economy. That particular and massive breach was caused by nothing more than a collection of human mistakes and a simple phishing email. Email, not some crazy intelligent hacking attack. A simple, though resourceful, phishing email.
While the healthcare industry has been under mounting pressure over the past years to do more with regards to data security, the retail industry has had it relatively easy. The frequency and size of recent attacks however means can expect to see increased regulatory pressures. The FTC for one is seeking more enforcement authority, including the ability to penalize companies that fail to adequately protect customer data.
But the status quo is such that there is precious little companies can do to effectively protect their email system from such attacks. Short of taking email offline entirely, they can invest in more training, write more policies, and at the end of the day still cross their fingers and hope that’s it’s good enough.
Now I personally prefer happy endings in stories. I like to think that a time of crisis and urgency enables us to look beyond what we know today, and embrace a better way. It has the ability to incite a desire to break out from complacency. And that’s where we come in. We’re part of a new school of information security. We believe that companies should be able to satisfy a need for communication and collaboration, with the need for security, without hindering business. We believe that technology has the ability to fill in the holes and vulnerabilities that exist in the conventional email system.