Backup Collaboration Mobile Security Storage Strategy Virtualisation

Managing email security

Article Type: Industry Focus          Published: 05-2016         Views: 2244      



Businesses place heavy reliance on email - making it a prime target for hackers. But can any single system lock them out?

The majority of businesses rely heavily on email, with research suggesting that the typical corporate user sends and receives around 105 email messages a day1. No wonder, then, that Mike Dearlove, managing director, EACS, cautions that "maintaining email security is vital to defend against hackers seeking to capture corporate information and disrupt business operations, prevent accidental or deliberate internal data breaches from corporate email systems and mitigate the risks posed by employee-owned devices".

EACS recently surveyed a cross-section of UK organisations to look at their concerns about email security and corporate vulnerabilities2. Respondents identified three main threats: spam and email viruses (28%), an accidental data leak (28%) and targeted attacks such as spear phishing (27%) - see Figure 1, above. Malicious leaks from within the company were considered a much lower risk (14%).

"Clearly, it is impossible to prevent attacks from being attempted. However, there are a number of email security systems available that can be integrated seamlessly with existing email packages and minimise the impact of such activity," says Dearlove. "These, combined with user education to minimise the risk of accidental data leaks, will help organisations mitigate the threats to their business."

He singles out an organisation that recently implemented an email security solution - T C Harrison, one of the UK's largest privately owned motor groups, with a turnover of £200m and 500 staff across 16 locations. "It is not unusual for the organisation to process over 12,000 emails a day. After its email systems had become unreliable, the organisation implemented a hybrid solution combining Microsoft Office 365 and Mimecast email management. As well as providing spam and virus detection and email archiving, this encrypts emails whenever the company wants to transmit commercially sensitive data, such as customer lists for use by third party marketing organisations," he states.

12 months after implementation the sheer volume of spam rejected is sobering. "In one week alone, the new system rejected 73,912 emails across the group, including nine virus signature detections, 455 spam signature rejections and 2,314 rejections based on IP reputation," reveals Dearlove. "That represents a huge saving in wasted time for staff, as well as helping to safeguard corporate data. It also shows just how significant the email security threat is and reminds us that we need to remain constantly on our guard."

Madhusudhan Reddy, HPE SecureMail Product Management, HPE Security - Data Security, refers to the different standards used for encrypting email. "Some email encryption standards, such as PGP and S/MIME, are extremely difficult to use. In a study conducted in September 2015, only one out of ten pairs in a study was able to successfully send a secure message using a PGP client. However, one of the participants in this successful pair had previously learned about public key cryptography. This research reiterated the findings of a study conducted more than 15 years earlier that PGP is still difficult to use."

In a PGP-based system, users have to create a public and private key pair, and must share their public keys before being able to receive an encrypted email, he points out. "Not only would a typical email user find it difficult to create an encryption key pair, but the user must also safeguard the keys indefinitely. In an enterprise setting, this could lead to huge databases of keys to manage for long periods of time.

"Another problem with this approach is the potential loss of or compromise of encryption keys. If the keys are lost, users cannot decrypt their messages, and, if the private key is compromised, there is no way to rectify the situation, except to stop using the corresponding public key," adds Reddy. "Users could create multiple encryption key pairs, which would cause confusion as to which public key was used for encryption and which private key must be used for decryption. Satisfying regulatory compliance requirements, such as eDiscovery, also becomes complex with so many keys to manage."

One alternative approach for encryption, he says, is Identity-Based Encryption (IBE). "In IBE, any identifying information, such as an email address, machine name, or employee ID, can serve as the public key for encryption. IBE has been proven to be very successful for email encryption, where the recipient's email address essentially serves as the public key for encryption. The email recipient registers with the sender's secure mail server and, once authenticated, decryption keys are generated," he continues.

"Key management can be stateless and time-bound, meaning the keys do not have to be stored. Instead, the keys are generated on demand. Also, the keys are valid for a limited time, so, in case the decryption keys are compromised, the damage is limited. Satisfying regulatory compliance requirements, such as eDiscovery, is easy, as the necessary keys to decrypt select email can be generated on demand, with appropriate levels of authentication for supervisory access. The email is delivered in the recipient's regular inbox, so access from a mobile device is not an issue, as long as they can access their regular email from a mobile device. Since there are no keys for the end users to manage, this solution is known to be not only secure, but also highly scalable."

Page   1  2

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top

PREVIOUS ARTICLE