Mitigating Threats To Your Email Security and Privacy

March 8th, 2009

Email security issues and technologies are extremely complicated; however, here we intend to make the salient issues and solutions clearly understandable to all readers.

You may already know that email is not a perfectly secure communication medium; however, it might surprise you to learn just how inherently insecure email can be. Messages thought deleted can still exist in backup folders on remote servers years after being sent. Hackers can read and modify messages in transit, use your usernames and passwords to login to your online services, and steal your identity and critical information!

As the amount of crucial business conducted via email increases, so does the amount of Spam, viruses, hacking, fraud, and other malicious activity. Unless precautions are taken, email can leave you and your business open to escalating security and privacy risks. What are these risks?

Email Threats

Eavesdropping: In the usual way that people send, read or download Internet email, all message content (including usernames and passwords) is transmitted between their personal computer and email servers in easily accessible “plain text”. This means that anyone who can intercept this flow of information can read your email and obtain your usernames and passwords; this is referred to as eavesdropping.

It is surprisingly easy to eavesdrop. Often the culprits are others in your organization, individuals at your Internet Service Provider (ISP), or even other clients of your ISP. Simple eavesdropping attacks, like tapped phone lines, lay all of your critical communications wide open to attackers. Worse, these attackers can access your accounts, send email messages appearing to come from you, and steal your identity, all by simply obtaining your usernames and passwords and other confidential information in this way.

Privacy: Did you know that your physical location can often be determined fairly accurately just by examining the email messages you send? Recent legislation allows your ISP to read your email without your permission, and data backups made by email providers and ISPs may be kept indefinitely without your knowledge. With such potential for malicious activity, taking measures to maintain your privacy is more important than ever.

Privacy afforded to your communications, to the data you entrust to your service providers, and even to your physical location is as critical as protecting your communications from eavesdropping, as a lack of privacy is equivalent to allowing people to “eavesdrop” on you and/or to discover your actual address.

Spam and Unwanted Email: While Spam is technically not a privacy or security issue, the sheer quantity of Spam today (reports currently indicate that more than 75% of all email is Spam) decreases productivity and dramatically increases the cost of email use. Spam filtering also poses the potential loss of legitimate email while attempts are made to weed out unwanted messages.

Viruses and Worms: These malignant entities, though almost as prevalent as Spam, are infinitely worse. viruses and worms can take over your computer, send your private information to attackers, destroy your hard drive, bring your computer to a stand still, or disrupt productivity in general. They are a threat to your privacy and make you suspicious of legitimate email.

Email Bombs and Other Attacks: “Email bombs” occur when you receive an immense number of email messages in a very short time. Dictionary attacks are generated by spammers trying to discover valid email addresses at your organization by sending email to thousands of different addresses. Floods like these can bring your email service to its knees, fill up all your email storage space, and result in the loss of legitimate messages and business.

All of these threats are significant individually; together they pose a serious, on-going, and escalating problem. How can you take advantage of email technology while mitigating your risk from these and other negative factors? And, how can you keep the costs to your organization reasonable?

Mitigating Email Threats

Several technologies and mechanisms can be used to significantly reduce the potential of all of the threats described above. These include:

Encrypted Communications: Information sent between your computer and email service providers can be encrypted so eavesdroppers can not access any of your data. Encryption is commonly accomplished using “Secure Socket Layer” (SSL) protocols that are supported by web browsers and email programs. You need to ensure that your provider supports them and that your users enable them.

Privacy Policies: Make sure that your ISP and email provider have strict privacy policies stating that your data will never be accessed without your explicit consent. Barring legal injunctions, you can become more secure in the integrity and confidentiality of your data.

Anonymization: If you are concerned about people discovering the physical location from which you send email, find a provider that allows outgoing email to be stripped of location-identifying information. This is sometimes known as outgoing email anonymization.

Spam and Virus Firewalls: Use services that stop Spam, viruses, and other unwanted content before they reach your infrastructure and users. These services should actively protect you against email bombs and other attacks, greatly reduce the impact of Spam and viruses, and insulate your infrastructure from the malignant Internet. It is especially important that your Spam and virus filtering provider has teams working 24/7 to monitor Internet threats. They must detect these new threats quickly and install stopgap rules and filters to block them well before mainstream anti-virus companies release official filters. Where viruses are concerned, the sooner you are protected, the better!

Note employing commodity virus and Spam filtering tools and software may not be sufficient as anti-virus companies might not release new rules for stopping the latest viruses for hours or days after they appear on the Internet, and such tools by themselves may not provide adequate protection against email attacks.

These and other technologies, such as public key encryption, will go a long way to ensuring that your organization’s information security practices are protected from for the dangers of today’s Internet.

Conclusions

The cost of ignoring email threats can be catastrophic: loss of email and confidentiality, identity theft, lack of privacy, even the loss of the use of your computers.

The cost of mitigating all of the factors yourself “in-house” is also egregious as the requirements in computer hardware, knowledge, continual training, monitoring and support, etc., quickly amount to large sums of money and exclusively dedicated man power.

The most cost-effective and robust solution is to outsource your email infrastructure to an organization, like LuxSci, that specializes in premium email security. They can ensure your privacy, provide enterprise-level Spam, virus, and email content filtering with 24/7 threat-monitoring and email attack protection. Finally they should provide responsive, personal technical support to address issues your organization will face as it grows and as the Internet evolves.

Breaches of email security and privacy are hard to detect. You cannot tell if someone is reading your email or subtly modifying messages until it is too late. You cannot quantify the cost of email and information security problems until after they impact you – imagine all of the things people write and receive in email… and think carefully about how you need to address these critical issues for your organization!