Lack of well-implemented email encryption remains one of the weakest links businesses face today. Companies who fail to take necessary precautions can be fined due to failure to comply to applicable legal acts, lose customer loyalty and their market competitiveness. Don't make the mistake of implementing it based on bad advice though. Let's look at some of the worst email encryption advice that could leave you vulnerable.
"Just any email encryption will keep you secure."
Not all encryption is equal. The popular TLS 1.0 protocol (and earlier versions) was recently discovered to be vulnerable to what's known as a "man-in-the-middle" attack. Essentially this allows an attacker to intercept the susceptible TLS email, decrypt the information and view the data in plain sight. Although updated versions of TLS such as 1.1 and 1.2 are available that are not currently broken, these are less commonly supported in popular email server systems.
The rule of thumb is to ensure that you are using the best possible and supported encryption available such as S/MIME and PGP. This also proves why you need to stay on top of technology changes: what's secure today can easily be insecure tomorrow. If you don't have the resources to stay on top of changing technology, consider using a third party vendor to ensure your system remains secure.
"You're an SMB, so you're not a target anyway."
In late 2011, Symantec conducted a survey asking SMBs their position on security. 50% of those surveyed indicated that because they are SMBs, they are not targets to attackers. In a separate study completed by McAfee in 2010, 40% of mid-sized businesses reported a previous data breach which was a 13% increase from the previous year.
This goes to show that attackers don't just pick on large corporations. Instead they usually rely on a database of potential victims who work for a variety of businesses and randomly choose a subset to target. From there they will focus on whoever appears to be an easy victim. Don't mistake the mistake of thinking that because you're small that you can escape under the radar. It's just as imperative you are as secure as any larger business would be. Ensure you are always using encryption.
"Buying a product will fix all your problems."
Some businesses take a "Field of Dreams" approach to technology; if they buy it, their employees will welcome it with open arms. It's the wrong approach because employees can often work around having to use software they find annoying. Employees may also find a way to disable encryption out of convenience or perhaps they choose not to enable it in the first place if they have the choice.
The solution is to provide training to employees, but according to the National Cyber Security Alliance, only 35% of SMBs educate their employees on email security. Your training should include how to fully make use of security features in your mail solution but more importantly, why they need to in the first place.
Educate them about the consequences that could happen to the company as a result of being insecure, even if it's just one email that gets sent out without adequate security. Make it clear that it is a violation of your workplace policy and that there are serious repercussions to employees who take shortcuts.
We've looked at several of the world's worst email encryption advice to take under consideration. Using modern technology coupled with employee training, particularly for small or mid-sized businesses, addresses most of the issues. If you don't have the resources to implement encryption thoroughly, consider using a third party vendor such as iCorps. Contact us with any questions.