Misconceptions About Email Security
Written by Jeff Orloff on July 25, 2011
When you don’t understand something that your job requires you to know, the most logical thing to do is research the topic and learn as much as you can about it. For many people who find security as part of their job description, learning as you go is the only option available. Yet despite the fact that there is so much information readily available to us, misconceptions regarding email security still confuse many professionals tasked with maintaining the confidentiality, integrity and availability of email services.
Blocking executable files will stop malware from being spread among users
Filtering all attachments that include .exe or .msi, was once a common way to keep users from sending infected files to one another through email. This is still considered by many to be a best practice for securing email systems, however as more tech savvy workers entered the workforce, they found ways around this. Generally, people will simply change the extension on a file and send it in an email attachment to a co-worker, friend, or family member. The recipient simply downloads the file and changes it back to the correct file extension. If that file has malware attached to it, the recipient will become infected when the file is opened and that could spread to other machines on your network.
Another scenario that dates this method of securing email, and is much more common, is when a user receives an email with a link in it. This link takes the user to a seemingly harmless website that is hosting drive-by downloads that install malware onto a computer when the person visits the site. No action on the part of the user is necessary other than clicking on the link.
Email security solutions need to address both of these scenarios in order to truly offer protection.
Attackers target large companies because that is where the rewards are greater
We often hear about how large financial institutions are hit by attackers where the number of users whose confidential information is stolen tops up to millions; or maybe it’s an attack against a huge government organization like the Oak Ridge National Lab attack that makes the headlines. At the same time, we almost never hear of a mom and pop store where the same thing happens. That’s because it’s not sensational. A small business being breached doesn’t warrant enough interest from the major networks but that doesn’t mean it never happens. It actually happens more frequently to small and medium sized enterprises than it does to the big corporations.
Large companies often have the budget to better secure email systems against attack where smaller companies often rely on security by obscurity as their solution and attackers know this. Whether they are looking for the lower hanging fruit, or simply trying to hone their skills, SMBs are frequent targets of email security attacks.
Finding security products that are geared towards SMBs is essential not only because they are affordable, but because they are tailored to the needs of these organizations.
Email encryption is only for healthcare and financial institutions.
It is true that these two industries are required by certain regulations to encrypt email messages, while other industries have nothing that says encryption is necessary it still is good practice to make sure your emails aren’t sent in plain text across the Internet.
There are many reasons why a smaller company would want to protect information sent via email. You could be sending confidential information about employees, details about an investigation, sensitive company financial data, strategies for growing your business… the list is endless. But no matter what the reason for keeping a lid on the contents of your message, if it is not encrypted then anyone with the know-how can capture and read these emails.
Email stored behind your firewall is more secure than email stored in the cloud
Cloud security is one of the most hotly debated topics when it comes to email security. Moving email services to the cloud will certainly take security and control out of your hands and put that responsibility on your cloud provider. But that doesn’t always have to be a bad thing.
If you research cloud providers and find one that takes security seriously and is open to answering questions about your email and data, then odds are their staff will be better able to handle security than a small IT department where the staff wears many different hats.
Cloud providers also have multiple data centers to handle back-up and recovery, as well as multiple layers of security.
Getting the right information when it comes to security can be rather difficult. There are many supposed “experts” who make a great deal of money selling snake oil to companies whether it is in the form of a security solution or education. The key is to read as much as you can and always look for the counterpoints when it comes to finding the best solution. If you spend enough time doing your homework up front, you will spend less time in the future dealing with mistakes.
July 26th, 2011 at 12:55 am
Definitely an excellent point about not just thinking that SMBs are immune to attack. Though they may not get the press coverage that the government-related and Sony breaches receive, they happen more frequently, and make up the bulk of gains by malicious hackers.
Even if you’re just operating out of a home office with 1 or 2 PCs, don’t think that you’re immune to having any sensitive information taken from you. Keep backups, encrypt your data, and protect yourself and your customers.
July 28th, 2011 at 9:36 am
True, small and medium-sized enterprises were / are also attacked but it did not merit enough attention because it’s not worth mentioning. Let’s face it, the media only writes news that will excite a lot of people.
This also has something to do with ego. Hackers will not divulge that they’ve hacked into a small business. They will not get recognition out of it coming from the hacker community.
July 28th, 2011 at 1:57 pm
Great points. I used to get so frustrated by email systems that blocked all types of .exe files or even .zip files. I remember once trying to send a Windows driver to a customer via email and the email server kept blocking my messages.
I think the jury is still out on cloud security. The recent attacks on Sony, RSA, Lockheed-Martin (to name but a few) certainly highlighted the danger of having your data our there where anyone can attempt to access it. But I think it is also fair to say that lots of data has been stolen from small, private systems behind inadequate firewalls.
I run a small business and our company web site has been attacked several times for what seems like no particular reason other than malice. None of us are immune.
July 31st, 2011 at 5:09 pm
Great points, thanks. I liked the point about encryption because I have often had hard times convincing clients, bosses, partners, etc. that you don’t have to be paranoid to use encryption. The other points are also useful, thanks again.
August 2nd, 2011 at 7:49 pm
Hey how about email messages received in Mac computers are not susceptible or does not contain malware, and it will not attack Mac OS. I’ve read about this a couple of years ago, which is a complete misconception. All computers are vulnerable to email security flaws – PC or Mac.
When it comes to cloud computing, the platform still has to prove itself. We should not jump into conclusions immediately. If you believe to what most providers are saying “email security in the cloud are top-notch”. For me, this is a so-so statement. I’ll wait a couple of years for me to transfer my email service to the cloud.