EMAIL SECURITY
Why the risks exist
Email has become an accepted facet of everyday life for most businesses indeed it is probably fair to say that many organisations could no longer trade effectively without it.
It is widely recognised that email does however carry risks simply because by its’ very nature it connects individuals and businesses to each other across the internet. The traffic volumes are truly immense and because criminals and hackers have exploited email security weaknesses for many years a wide library of protection tools and products have become available on the open market.
But of course the determined hacker, often technically well qualified simply sees these blockers as one more challenge and often has the ability to circumvent them.
Initially email and/or attachments were used as an easy way of penetrating networks and as hacking techniques became more sophisticated viruses and other “malware” (software designed for malicious purposes) were hidden as “Trojans” such that they were not detected by virus protection software or similar products.
The IT industry reacted to that with more sophisticated virus detection following which the hackers continue to find new ways of breaking into systems – and so the cycle continues. The need for vigilance and protection to ensure email does not introduce security problems for your business cannot be overstressed.
The Risks
Risks are many and varied, including:-
- Denial of Service attack - where email traffic is generated and sent to the target mailbox/server to saturate those until they eventually fail.
- Spoof emails – designed to trick or entice a response in which case any response then provides useful user and other information to the hacker.
- Trojans – using innocent looking emails as a means of getting into the system from where malware or other hacking tools can be easily downloaded, usually contained in attachments.
- Robot (often referred to as “bot” or where several “bots” are joined to together a “botnet”)- the use of email by a hacker as means of gaining access to and then subsequent control of the company’s network or systems.
- Litigation or other consequences as a result of mis-use.
- See our jargon buster for further email threats such as Phishing, Worms, SPAM, etc.
What to do about it
The most obvious and widely used protection against e-mail attack is the use of effective virus protection and filtering software. However, in using such software it is essential that it is:-
a) configured correctly and
b) updates are applied regularly
Use of software protection alone however is not enough, great care is needed in using e-mail both:-
a) from the point of view of inadvertently playing into an attackers hands (e.g. by allowing introduction of a virus into the system (could be by opening up a rogue attachment) or providing sensitive information (e.g. bank details) in response to what looks like a genuine e-mail but which is not)
and:-
b) simply by the mis-use of the e-mail facility which can have a variety of consequences from simply upsetting a colleague in the workplace to incurring financial loss from, for example, inadvertently entering into a contract or exposing the individual or the business to litigation.
So it is not sufficient to simply put in necessary hardware and software protection, unless there is a strict E-Mail and Internet policy in place which clearly sets out the ‘rules’ and guidelines for using both e-mail and the internet as significant risks will remain despite the business having apparently taken appropriate protective steps.
As with most aspects of IT security, it is recommended that outside expertise is engaged to ensure that all potential areas of risks have been addressed effectively.
Back