Secure Email: Silver Bullet for Messaging system

Secure Email at workplace

During one of my recent meets with a CEO of a media company, I got pulled into a conversation on one of my favourite topics – How can we secure Email? Having been interacting with top management of several other mid sized businesses over several years, the concerns and issues raised by them were almost always the same.

They are all looking for that one complete secure email solution which will solve all their IT security miseries once and for all, and want a fairy tale ending “… and they lived happily ever after.

That’s when I realised it is my duty as an IT professional, that I increase awareness on this topic, where buyers have unrealistic expectations from point solutions, or worse still, keep them blissfully unaware of the security risks existing in their organisation.

Here is an extract of the common grouses that top management hold in their mind regarding secure email systems:

We have invested in the best and continuously updated antivirus on every user’s desktops since 3 years. Our network is protected by Firewall from one of the top 3 vendors. Everything has been working fine since then. It’s only in the past 2 months that we are facing repeated compromise of emails accounts on our internal mail server. Is this some kind of intentional sabotage by those handling the mail server?

With due respect to the Top 3 security products that you deployed 3 years ago, the fact of the matter is that the world has moved on much ahead since that day.

  • Your organisation is 3 years older since then. A lot more people know your organisation now.
  • Your employee headcount has gone up. A lot more hands and minds are working for you now.
  • Your reliance on electronic communication such as Email, Messaging and IT systems in general has gone up multifold since then. Did you notice the drop in your monthly courier expenses?
  • Your business volumes have gone up.
  • A significant amount of your banking transactions have moved from paper cheques, to digital modes such as NEFT, RTGS, and others.
How does all this matter? Our security is a piece of hardware and software. When it could do well for us then, even today it has to do the same!

That’s precisely the point. Today, your so called secure email system is doing exactly the same that it was doing 3 years ago. But that is no longer enough.

The stakes for breaking into a corporate network, or email systems are now much higher for criminals. You are now having cyber criminals who are at your doorstep, day and night, looking for every opportunity to barge in. Just because they are not visible to you by eye, or do not appear in your 48-camera CCTV monitoring system, does not mean they are not present. In fact, they may already have a decoy inside your office right here, listening to everything that is happening inside your organisation and informing them.

Oh c’mon, you seem to be watching a lot of sci-fi movies of late. Let’s be realistic for some time.

I am sure you are not so gullible to believe that the cyber criminals, who you commonly refer as “hackers” are still using the age-old techniques. They have gone far beyond that, and are continuously changing their techniques to duck the security systems.

  • They have the advantage of gathering information about you and your organisation through various channels, including Social Media.
  • They have access to tremendous computing power at a dirt cheap cost, thanks to the 24 hour Internet connectivity that most end user devices have these days.
  • They have underground trading network where they can buy and sell data of compromised accounts. Cyber crime is a big global business!
  • For end users, it is becoming increasingly difficult to judge if the message they just received indeed come from a legitimate source.
  • Social engineering techniques to make users part with confidential data pays rich dividends to the criminals.

Oh, and regarding your email accounts? Well for one, silently gaining access to your account makes them aware who your customers and suppliers are. What is the mode of billing and payment. When is your next big electronic payment transaction expected. They now know the exact moment, when they need to take over the reins of your account and send a crafted mail to your associates and mislead them into making that payment transfer to the hacker’s account instead.

And if the account does not have such correspondences to take advantage of, the least they can do is to use it for sending a few thousands of other phishing and fraudulent mails from the account, and utilise your resources. This then leads to blacklisting of your IP Address and domain name, causing mail delivery failures to external addresses.

Are you trying to scare me into buying a new solution that you just launched?

Very humbly Mr. CEO, the cost of some remedial solutions is less than the cost of a meal with your family at a fine dining restaurant. That is not something which is going to make us IT service providers millionaires overnight either. But if you would rather save that amount, and keep your organisation exposed to such risks, well I feel sad for your organisation.

So where is the promised Silver bullet for Email Security?

While the hardware and software security tools are very much necessary, they are not going to keep you safe forever by merely keeping them powered on. Security techniques and tools will always keep evolving, and to make sure you are reasonably updated, do consult qualified domain experts. And when they do provide a logical solution, trust them on it. They have spent decades handling similar challenges not for you alone, but for at least a few hundred organisations similar to yours. They have in most cases already solved a problem for some others, that you are facing today. Their collective knowledge and experience is what will take you towards a more secure environment.

It by no way means that you are required to keep making big ticket investments. The improvements may be not only in terms of new technology spends, but also in terms of educating your teams.

And yes Mr. CEO, please engage the services of an effective and always updated Spam & Virus filter, not on your user desktops, not on your email server. But a solution that weeds out the bad mails even before they touch your mail server. There are a few good ones around, including Spamcan with which we have been protecting almost a million mailboxes over the last decade.

And if you are not already using a SSL certificate for secure email transport, your secure email server is a sitting duck!