E-mail has just celebrated its 42nd to convey messages to different users of the same computer. Today, what was described as a “nice hack” in the 1970s has become the most widely used application on the Internet – over 2,2-billion people use e-mail every single day.
Unfortunately, most of us don’t think about the security implications of this communication tool beyond avoiding phishing scams and spam.
“The issue is that e-mail was not designed to do the things we do with it today,” says Brian Lennstrom, product manager for OpenText’s Secure Mail.
“People store all of their content in their mailboxes. They send intellectual property back and forth. How the information gets from A to B simply doesn’t concern most people, but it should.”
There are two main security issues with e-mail today, Lennstrom explains. Once an e-mail user hits the send button, the information travels through a series of hops. Simply put, a hop is a portion of the path between a source and an end destination. Thus your data doesn’t simply land with the intended recipient – it travels through different routers, ISVs and gateways.
The second problem is that the Simple Mail Transport Protocol (SMTP) used by mail servers is not a secure protocol, leaving it vulnerable to hacking or access by a third party, as highlighted by the recent PRISM scandal.
This program gained notoriety when it was revealed that the National Security Agency (NSA) was collecting stored Internet communications based on demands to companies such as Google and Apple.
“Anyone that downloads a packet sniffer from the Internet can see all the data packets passing through your network, including passwords and confidential information,” Lennstrom says. “It’s not necessarily a problem within a closed network, but if you are using public Wi-Fi, you can very easily be hacked. The question to ask yourself is: Do I care who is reading my e-mail?”
Since surveys have shown that most individuals balk at the idea of sharing a mailbox (even with a spouse or partner), we can assume that the answer is “yes”. Unfortunately, e-mail has become non-negotiable in the business environment, which begs the question: is there a way to use e-mail securely, without disrupting operations or requiring staff to use an alternative method of communication?
“E-mail may yet be replaced in our lifetime, but there simply is not a viable alternative at this stage,” says Craig Freer, head of Enterprise products at Vox Telecom.
Vox Telecom has recently worked with OpenText to launch MailTrack, South Africa’s first auditable, secure e-mail service.
“Existing secure mail services focus on encryption, which is important and prevents hacking from third party sources, but which does not address the threat of internal data leaks or data loss.”
Freer believes that the need for a secure and auditable e-mail service has never been more imperative. “The advent of POPI has meant that South African businesses have to not only look at external threats to data security, but the internal ones too. When your e-mail is secure and equipped with an audit trail, you are no longer sending messages into a dark hole.
“You can see exactly who opened your message, whether they read it, downloaded an attachment, or forwarded it. It integrates with your existing mailbox, and is very intuitive – there is virtually no need to retrain staff to use it, and birthday. Initially it was limited to mostly military users, and used very little disruption.”
Freer says that a truly secure service will also include several other benefits. “Your typical mail server will allow you to send an e-mail to any valid e-mail address. If you are sending a secure message, however, it will warn you if it does not recognise the recipient and ask you to add him or her as a new user. It may not prevent all data losses, but it does minimise the risk of data losses through incidents such as miskeyed addresses.”
Sophisticated secure e-mail tools can even prevent information leaving the company through predetermined protocols. “You can set up the system to recognise sensitive data patterns – the typical format of a credit card or ID number for instance – and prevent employees from distributing that via e-mail. Other companies, for example, prevent employees from sending information to particular domains, such as their competitors.”
Whereas a typical SMTP protocol does not allow for the transfer of large data files (10MB or larger), a good secure mail system (that does not make use of SMTP) can. “This has become crucial in the digital age,” says Freer. “We’ve found that if an employee has to send a large attachment, and can’t, they use of other ways of transmitting it. File-sharing apps downloaded from the Internet (such as Dropbox, 4shared and others) or memory sticks are the main culprits…and not a very secure means of data transfer.”
Lennstrom says that although e-mail security compliance can seem daunting, it will soon become a way of life. “Fifty years ago, people didn’t lock their doors when they went out. Now we’ve realised that locking the doors may be a small change, but the impact of not doing so can be significant, and it’s become second nature. E-mail security will follow suit.”