History of Email Security
Making Emails 10x Better for User Experience and Security
Making Emails 10x Better for User Experience and Security
We constantly hear people complain about email, saying it’s chaotic, insecure, and a drain on productivity. Some enterprises have even gone so far as to ban emails altogether. Despite the existence of instant messaging, social media apps and client portals, email usage is still increasing, with over 294 billion emails sent every day in 2019.
Emails are an essential tool for consumers. Without an email address, I can't sign up for most e-commerce, banking or social media sites. Without emails, I'd have to download dozens of apps to talk to my friends because a new app seems to pop up every time I check. Worse, half of those apps are unsupported now, so my messages there are lost. In comparison, my Hotmail account from 20 years ago still works and contains an invaluable trail of my past.
If your business is not using email to talk to your customers, it's time to reconsider. Twilio conducted a study on communication preferences in 2020 and found that 83% of consumers prefer to receive business communication over email. Businesses that failed to do so were penalized over 70% of the time through bad reviews or dropped purchases. Email security is a big reason why some companies use secure client portals over email. But what makes emails insecure in the first place?
Business Email Compromise (BEC) & Email Account Compromise (EAC) was ranked the number one Internet crime in 2021 based on the annual FBI Internet Crime Report. In 2021, email compromises caused over $2.4 trillion worth of damages, 28% higher than in 2020. To understand why this is, we must start with how emails work. There will be some technical content ahead; skip ahead to go straight to the solutions.
The email ecosystem consists of four points of interest. First is the Internet protocols (SMTP, IMAP/POP), which specify how emails should be exchanged. Then you have the service providers (e.g., Gmail, Office365, ISPs) and endpoints (e.g., MacBook, Android phone) that implement the email protocols. Lastly, you have the senders & recipients involved in the email exchange.
An email compromise can occur in each of these four points of interest.
SMTP, POP and IMAP protocols were all invented in the early days of the Internet. In those days, the Internet was only accessible to a select few with access to facilities controlled by universities and governments. Protocol security was unnecessary because physical access controls were sufficient at the time.
It wasn't until the 90s, after Netscape popularized SSL, that email protocols started to encrypt messages in transit. Then, in the late 2000s, Yahoo adopted a new set of email protocols, SPF, DKIM and DMARC, which helped verify the identity of email senders.
Unfortunately, the adoption of secure email protocols was slow. After over 20 years of SSL/TLS support, only 89% of emails were encrypted in transit. We see even less adoption of the relatively newer authentication support. Asian and African countries are lagging behind the adoption curve, with major email providers like Alibaba (China), NetEase (China), Yahoo (Japan) and FCMB (Nigeria) still operating without encryption.
Political control may explain why some countries, like China, hesitate to implement encryption. Another reason adoption is hard is that email is an open protocol. Anyone can set up an email server and send/receive emails, but not everyone is incentivized to upgrade their email server. The number of active email accounts crossed the 100 million mark by the late 90s. It is no wonder why email protocols are not secure even to date.
Email providers like iCloud, Gmail, Outlook and Yahoo! make it so simple that it feels like everyone and their grandma is using them. Not only that, these are all fortune 500 companies, so it's easy to trust them to keep your emails safe. But under the hood, these email providers simply operate software that uses email protocols. Hackers love compromising emails because (1) it contains a treasure trove of private information, and (2) emails can be shared quickly, making them a logistical highway for spreading malware.
In March 2021, a Chinese hacking group exploited four vulnerabilities on Microsoft Exchange servers to extract email contents from over 30,000 organizations. Above is an exchange between the former director of the Cybersecurity & Infrastructure Security Agency (CISA) and the White House National Security Advisor (NSA).
Microsoft, one of the leaders in cybersecurity with billions of dollars of budget, failed to secure email servers. It's hard to imagine how anyone can. While it can seem impossible to airgap email servers, ensuring your smartphone is secure is even more challenging. With hundreds of apps running on the same device, an exploit in any app can compromise the security of your emails.
Phishing is the most common email attack. It involves a legitimate-looking email asking recipients to hand over personal, financial or login credentials. Human decision-making is the target of this attack.
The phishing email above uses several tactics like authority, time pressure, tone of voice and personalization to influence human psychology. Scammers can manipulate readers to act under false assumptions by instilling a sense of trust and fear. In 2021, over 323k people fell victim to this type of attack.
An IBM Security Services paper published in 2014 concluded that “95% of cyber attacks and events involve preventable human error and behavior weakness”. This number suggests that users are vulnerable, independently of exploits found in platforms and software. Psychological explanations for this include:
In the end, users do not believe cybersecurity is essential and leave themselves open to attacks. Even basic security hygiene is ignored, like using a strong password and not oversharing sensitive information.
A quick search for "email security product" on Google returned 1.9 billion results, but emails continue to get hacked. Why? I believe it comes down to two things: the overwhelming number of ways emails can get hacked and the complexity of security solutions.
A scammer can try to attack your email account in many different ways. You must successfully defend against all possible attacks to win, but the scammer only needs one successful attack to take over your account. The situation can feel futile, but it's still worth trying.
Consider a bank that uses steel doors to protect its assets. If a robbery occurs in another bank with steel doors, should they deem steel doors useless? No, their steel doors still defend against most thieves. Email security is similar and it's not all or nothing. You can drastically improve your email security posture by doing some simple things.
Choose an email provider with built-in security (e.g., Gmail, Outlook)
Protect your login
Beware of email scams
The tips above help protect individual email accounts but businesses have a number of employees and deal with large amounts of sensitive data. Email security for businesses require more advanced solutions.
Businesses not only have to worry about hackers outside of the organization but also employees and contractors that have access to customer data. Establishing company-wide processes to restrict sensitive data from being sent is a crucial part of data security strategy.
Data Loss Prevention (DLP) is a type of software that prevents sensitive data from being lost, misused or accessed by unauthorized users. Traditionally, email DLPs are configured by IT administrators on the company email servers. These configurations can include rules like "block all correspondences from a domain" or "alert when someone sends a 16-digit number". Creating and maintaining these rules is a resource-intensive task. Imagine if IT configures a rule that prevents emails from being sent to a domain, but a contractor needs it for work. What happens when a loan company frequently sends 16-digit loan numbers that look similar to credit card numbers?
New DLP solutions use machine learning to determine how members of your company communicate and the context behind every interaction. Machine learning works by processing large amounts of data to recognize patterns in the employee's communication patterns. For example, "my SSN is 123456789" and "call me at 123456789" both contain the same number, but one refers to SSN and the other phone number. With machine learning DLP, no rules are required.
Strac uses natural language processing (NLP) to extract insights about the content of emails. In the simple example above, it is able to differentiate between what the two numbers are based on its context. Our machine learning model has been trained on millions of emails, rich in information on the kind of data people send and receive daily. And they continue to evolve over time. This enables Strac to determine in real-time sensitive data elements in emails. Once detected, sensitive data is removed from emails and isolated into a secure vault accessible only by authorized users.
Having zero sensitive data in the email ecosystem vastly improves security and simplifies compliance audits! Another interesting way to use Strac is as a replacement for secure client portals. As mentioned in the beginning of the article, 83% of consumers prefer to receive business communication over email. With Strac, it is possible to do this even for businesses exchanging sensitive data.