Why secure email?
The number of “whaling” attacks through company email systems is on the increase. Is your business doing everything it can to keep information and profits safe?
More and more companies are becoming aware of the pressing need to increase the security of their digital communication systems. There has been a huge increase in attacks on email communication in recent years, leading to the loss of sensitive information, client and company funds, and the reputation of countless companies.
The UK government released these startling figures in 2018:
- 43 per cent of businesses identified security breaches in last 12 months
- 75 per cent of employees across all businesses received one or more fraudulent emails
- 28 per cent of employees across all businesses were being impersonated online
- 24 per cent of businesses experienced a virus or malware attack
Even more worrisome is that only 20 per cent of businesses believe they have the relevant tools and training to deal with this threat.
The risks of using standard email
Highly trained, highly motivated cyber criminals are targeting businesses and helping themselves to millions of pounds via spoofed email messages.
These messages target finance staff, encouraging them to expedite a payment to a supplier that the managing director or chief executive cannot execute due to being away from the office.
This new phenomenon has been dubbed “whaling” as the mark is one large target, as opposed to “phishing” which looks to defraud a larger number of smaller targets.
The attacker is able to intercept emails between companies and read their content. Over many weeks or even months, the attacker learns how to impersonate the style and language of those sending and receiving the emails.
The attacker is then able to send a bogus request for money, including new bank account details for the transfer. As the attacker has lots of information about the target, the request will appear to be genuine and money is very often transferred to the attacker’s account.
According to a 2018 report by Symantec, the average user receives 16 malicious spam emails per month.
Even if a business only has 20 employees, that is 320 attacks per month. Businesses often trust in their employee’s ability to scrutinise emails and make the right decision whether to open them or not. That amounts to 3,840 bullets to dodge every year.
An attacker is able to successfully infiltrate a target as standard email has no way to verify the email address of a sender or recipient. This means that the displayed “to” or “from” name actually has no relation to the email address behind it.
Many medium and large companies have been targeted by these attackers, with unwitting CFOs and finance leaders losing more than £9.1 billion between them since 2013. Snapchat is the latest high-profile victim, revealing employee payroll information to an unknown attacker.
As with any scam of this type, the goal of whaling is to trick someone into disclosing personal or corporate information through various methods, most typically email correspondence.
As well as significant financial loss, since May 2018, compliance has become a high priority for companies doing business in the UK and Europe.
The new General Data Protection Regulation (GDPR), which came into force on 25 May 2018, will still apply to UK companies dealing with the EU regardless of the UK’s decision to leave the union, and has transformed the way that companies send emails.
The Information Commissioner’s Office has published detailed guidance on encryption to demonstrate when and where different strategies can help provide a greater level of protection.
All businesses need to prove they are fully compliant with the new regulations and should be focused on the secure transmission of sensitive and financial data via email.
GDPR requires that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, and expressly states that such measures include the pseudonymisation and encryption of personal data.
A breach under this new legislation carries its own possibility of financial loss, with a fine of up to €20 million or 4 per cent of a company’s worldwide turnover.
Why are companies slow to adapt to secure email?
Statistics show that less than 20 per cent of businesses today use any form of encryption when sending data via email. Why is this?
Most of the problems rest with the recipient. The sender may have the technology to send an email securely, but 99 per cent of the time, the recipient will not have the means by which to respond using the same secure method.
The four biggest complaints from recipients of secure emails are:
- Portals – the recipient is presumed to have access to a specific software portal
- Log-ins – the recipient needs to log in to the sender’s service to respond
- Software downloads – the recipient needs to install some untrusted software to access messages
- Account registrations – the recipient needs an account with the supplier of the secure messaging service
Any one of these requirements leads to a cumbersome process both for the recipient and for the sender who needs to explain each step.
Removing these hurdles ensures that secure email is as easy as sending a standard email.
Encryption and compliance
Once email has been secured, it is still important to consider the General Data Protection Regulation. Under GDPR, proof of compliance is still required, and even if a business is using a form of encryption, that business still needs a method of proving they have been compliant.
With cyber attacks showing no signs of slowing down, all businesses need to take steps to secure their email communication with clients and implement a system able to prove that these measures are being adhered to.
To help with all of the issues discussed above, RMail services can provide an easy-to-use solution for the transmission of sensitive and financial data via email. Businesses can have confidence that their data has been sent securely, with an audit trail for GDPR compliance and no portals, sign-ups or software for the recipient to download.
Mike Roberts, head of digital services at Frama UK Limited