Human error was the #1 cause of cyber security incidents in 2021. Enterprise businesses are protected from external attacks, but are they missing a piece of the IT security puzzle- themselves? Outbound email security may be the solution.
Firewalls, antivirus, phishing protection - cyber security is most often focused on protecting businesses from the outside-in. Outbound security can be thought of as 'inside-out' protection for communications we send out into the world.
Outbound email security protects the data and documents we send over email. By utilising advanced encryption and authentication, outbound email security solutions ensure confidential messages and attachments are safely delivered.
What's wrong with a standard email?
The technology behind email was created at the Massachusetts Institute of Technology (MIT) in 1971. Though email has developed into a global communications standard, the level of security has not evolved since.
As with any information delivered via the internet, emails travel through multiple nodes. With access to any of these nodes, an email's contents can be uncovered. If you're the CEO of a company, as an example, your emails can be read by anyone who has access to your IT infrastructure or your recipients'.
Think of your standard emails as a postcard you send through the mail. Anyone who comes into contact with it - the postman or in the sorting office - has access. If your postcard contains secrets, those secrets are at risk of exposure. That's why we call standard emails containing sensitive information open-risk emails.
The data sensitivity of emails sent by an enterprise business goes beyond that of a secret postcard. Enterprise emails could include high value contracts, proposals, investment valuations, identification documents. If any of this information is sent by open-risk email, it is at risk of exposure, as is your business.
"Everyone knows" isn't "everyone does"
Most of your colleagues will be aware of the kind of data they shouldn't be sending over email. Yet, "knowing" isn't necessarily "doing".
Email is likely the primary form of interaction between staff and with customers. Whether by ignorance, accident, or negligence, cybersecurity best practices can fall by the wayside, especially at times of pressure.
A Society of Human Resources Management study found 35% of employees reported feeling tired or having little energy while working from home - and tired employees are more likely to make mistakes.
And that's the thing about open-risk email - with the best intentions and cybersecurity training, humans can still slip up. In an era of remote working, sending the right email to the wrong person is too easy. It's no wonder that sending a sensitive email to the wrong person was the most common cause of data security incidents in 2021.
We’ve got you covered. At Beyond Encryption, we’re pretty nerdy about email security. Follow the best practices in this guide to make sure any confidential emails you send are protected.
What are the key outbound email threats?
There are two key threats to data sent by email: human error and interception.
Otherwise known as insider risk, human error includes non-cyber mistakes such as:
- Sending an email to the wrong recipient, with research revealing that 52% of surveyed respondents have done this at least once
- Bcc’ing in the wrong individuals to an email
- Attaching the wrong file to an email
By sending the wrong attachment or emailing the wrong person, employees unintentionally reveal sensitive information to third parties. Human error is considered to be the most common cause of data breaches and is estimated to be the driving factor behind 95% of successful security attacks.
Email interception is where third parties intentionally gain access to your emails and the information stored inside, usually at one of the following four points of an email's journey:
- Sender’s device
- Email server
- Recipient’s device
Although these are often password-protected, a study has revealed that it only takes 10 minutes to crack a 6 character long, lowercase password. This leaves not just one, but all your business emails open to risk.
Whether by human error or interception, the unintentional disclosure of sensitive information can be costly. According to 2021 IBM research, a data breach costs businesses an average of $4.24 million. Introducing robust email security systems goes a long way to eliminating this risk.
What outbound security solutions are available to protect emails?
Outbound email security is key to wrapping the sensitive data you send in a layer of protection, so it remains intact, unmanipulated, and unseen until it reaches its intended recipient.
When you’re looking at outbound email security solutions, you want to protect every part. That includes the text in your messages and attachments both in transit and at rest.
Here are the core protections every business should be looking at for their outbound emails:
Encryption works by disguising your email messages and attachments by turning them into code that is unreadable to human eyes. It does this by utilising ‘keys’ that encode and decode the contents of your emails. With advanced encryption standards (e.g., AES-256), a third party who does not possess a key cannot access the data, as brute force attacks are simply out of the question.
Unfortunately, not all encryption standards are alike. The level of protection offered out of the box by many email clients is not enough to guard your emails against the most common threats.
There are two main types of email encryption to be aware of:
Encryption-in-transport: Otherwise referred to as Transport layer security (TLS), this is the standard level of encryption offered natively by most email providers. TLS works by encrypting the connection between you and your recipient, securing your messages as they move between email providers and blocking unwanted access.
However, as your emails are only encrypted during transfer, they have no protection when at rest within a server or inbox, leaving your data vulnerable to third parties during this time. Additionally, TLS encryption requires both the sender and the recipient to be using TLS to ensure the email is sent securely.
End-to-end encryption: In end-to-end encryption, emails are encrypted within your device before being sent and are only decrypted after reaching the required mailbox. End-to-end encryption does not have the same vulnerability as TLS, ensuring that only the sender and receiver receive the keys that can decrypt the contents of the email, preventing third parties from accessing your message at each stage of its journey.
Any business sending highly sensitive information by email should make sure their messages are encrypted throughout their journey with end-to-end encryption.
You also need to be aware of which encryption algorithm should be used for your email security. Where encryption is seen as the method by which information is converted into code, the encryption algorithms are the formulas that physically encode and decode your emails. Currently, there are three main algorithms to consider:
DES: As the original encryption algorithm, DES is now outdated in its natural form. Instead, some companies use triple DES, which involves utilising three individual 56 bits DES keys, adding up to a total length of 168 bits.
RSA: A form of asymmetric encryption, the RSA algorithm provides the sender and receiver two different keys with which to encode or decode emails. Although this makes it considerably harder to crack, it also means that it is significantly slower to use, with the encryption and decryption process taking a long time to complete.
AES: A form of symmetric encryption that provides the sender and receiver with the same keys in which to encode and decode emails. AES is believed to be extremely efficient, proving keys in 128, 192 and 256 bits which are extremely resistant to all attacks. It is also easier to implement into your systems, along with the encryption and decryption process being much faster than RSA.
Although encryption goes a long way to prevent email interception, it doesn’t stop human error, such as sending an email to the wrong person.
Adding an additional layer of authentication to your emails to verify the identity of your recipients ensures even if you send a message to the wrong person’s inbox, they can’t open it.
There are two levels of authentication available for outbound emails:
Single-factor authentication: This is the most basic form of authentication – a username and password is required to gain access (e.g., your email account login details). The drawbacks of single-factor authentication are well-known: the ease of breaking passwords by brute force, guessing passwords, or simply gaining access to devices already (or always) logged in.
Two-factor authentication- Two-factor authentication is the addition of an extra layer of defence, with individuals needing to pass a further authentication challenge, alongside inputting their username and password. These additional challenges usually include one of the following aspects:
- Something you have. For example, inputting an SMS code from your mobile phone.
- Something you know. For example, answering a security question.
- Something you are. For example, biometrics such as fingerprints.
By adding two-factor authentication to sensitive emails, you ensure two things: 1. any emails that accidentally get sent to the wrong person can’t be opened, 2. if someone gains unauthorised access to your recipient’s inbox, they still can’t read the sensitive message. Two-factor authentication is becoming the standard for high-value account logins via a web browser (e.g., banking and finance) and email should be treated as no less critical to protect.
When you make a mistake, don’t you wish you could take it back? An important function that helps combat any negative impact from human errors is email revocation.
When you send an email to the wrong person or the wrong email attachment to the right person, revoke allows you to retrieve the message directly from the person's inbox. This prevents sensitive information from falling into the wrong hands, reducing the risk of a data breach.
Email providers such as Outlook already offer built-in revoke capabilities. However, as with encryption, not all email revoke systems are alike, and Outlook’s basic recall feature will only work if:
- Your recipient has not already opened your message.
- The email has not been redirected to a folder other than ‘inbox’.
- Your recipient is using an email provider other than Outlook, such as Gmail.
- If you are using Outlook for the web or the Outlook mobile app.
For more information on recalling an email in Outlook, you can read our handy guide.
It’s important for companies to maintain audit trails of their communications, helping them to keep track of the information being transmitted between employees and customers and identify potential data breaches.
Audit trails are also essential for meeting regulatory requirements and maintaining compliance, especially within industries that handle sensitive data, such as financial services, medical and IT. To receive and maintain accreditation by the ICO, it is vital to keep track of the volume and nature of personal data being processed, plus any notification details and history.
In other words, when compiling an audit trail for your email communications, it is important to remain aware of the following:
- Who has sent the email
- Who has received and accessed the email
- What date and time the email was sent
- What date and time the email was opened
- What attachments or information were included within the email
Where can I get outbound email security for my company?
Some outbound email protection is likely to already be available to your business.
For example, both Gmail and Microsoft Outlook include basic TLS encryption and email recall abilities as part of their core offering. Of course, businesses that deal with sensitive data on a daily basis will need to consider a more robust system. If we had a penny for every business who trusted the basic security provided by their email client and ended up in hot water… well, we’re really passionate about email security so we’d probably be doing this, but you get our drift...
There are a range of products dedicated solely to outbound email security, including our own flagship solution, Mailock. We pride ourselves on having the most advanced outbound email security solution on the market, so we encourage our customers to shop around.
The most important things to consider when looking at what’s on offer, are the functionalities available (encryption, authentication, revocation) and the level of protection they offer (e.g., TLS vs. end-to-end encryption). Use this guide as your framework for finding the solution that’s right for you.
Here’s a quick rundown of key questions to ask as you’re comparing products:
- Does it integrate with existing infrastructure? Introducing technology that works alongside your CRM, DLP, antivirus and server-side signature is incredibly important.
- Is it easy to use? A product can offer all the security in the world, but if your staff or customers cannot use it, issues will still occur through neglect.
- Does it offer gateway and automation capabilities? Depending on the size of your business and its predicted growth, introducing a scalable solution that can automate the documents you send out (and your employee workload) will benefit everyone.
- Does it protect against downtime? Software that allows for contingency planning, ensuring businesses receive minimal impact from downtime, is a
When considering the above questions, Mailock enterprise is sure to tick all the boxes. Our award-winning gateway seamlessly integrates alongside your existing DLP, CRM, and antivirus, protecting your business emails with military-grade, AES-256 encryption.
Not only do we provide the very best security, but Mailock enterprise allows you to:
- Remain fully compliant with regulations such as GDPR, MiFID II and ISO 27001
- Remove the need for costly print, pack and post, digitising your communications and helping you reach ESG goals
- Empower and engage your customers, demonstrating your businesses as a leader in the protection of client data
Join the community
Jump onto our email list to get the latest research and guides, secure communications tips & tricks, and exclusive company news and updates.