I turned the mic on CEO Paul this week to ask where outbound email security is going, the biggest risks, and the opportunities it can afford companies that are looking to communicate better with customers.
Do you think people focus on the wrong areas when it comes to email security?
We constantly see information about protecting our systems and our technical estates from inbound threats.
You know, the drum is banged regularly around those threats, in terms of people attacking with ransomware and malware and viruses.
What many probably still neglect is the fact that there are global scale enterprises that are surfing the web and the traffic that's going across it - reading the contents of emails because the information in there can be incredibly valuable to a would-be thief.
Is it increasingly becoming 'the norm' to put provisions in place for outbound email?
Outbound threats, you know, the idea that the data you're pushing out through this fabulously convenient medium called email are still often neglected. And that can be very potentially damaging for companies, their customers, and not just financially, but reputationally too. It's something that really needs to be addressed by all businesses.
I think it's not yet the norm to secure outbound comms. But we're getting there. My hope is that we are beginning to get the message through that you absolutely need to consider your outbound email as a very useful but potentially threatening area of your cyber provisions.
Are companies aware of the amount of sensitive data contained in their emails?
There are in excess of 330 billion emails sent and received a day. A good chunk of that carries information that companies are legally obliged to secure because the data is sensitive. And it's the reason that these industrial scale malicious organisations exist, because they can find rich pickings in that data in order to defraud customers and companies.
So yeah, I think it wouldn't be a surprise actually if a company was to dig into all those emails and look at how prevalent sensitive data is within them. You'd expect unfortunately, to see an awful lot of information in there that really should be protected and isn't.
I think we recently did some research into this, specifically in the financial adviser market?
Yes, I was shocked at the output from our recent research to see the number of financial advisers that were asking their customers to send them information (very sensitive information) in open email. That just can't happen anymore. It's just contrary to so many regulations.
But more importantly, it's contrary to looking after your customer, hence the reason we're trying to just make something available that can wed in very simply with all those requirements. But yeah, you just can't use email like that anymore you know, the world's moved on.
What's something you wish more people knew about outbound email risk?
Sending something in the clear is incredibly easy to do. On email systems, I'm sure you've all seen, they have this sort of autofill capability. You start typing a name and they give you an opportunity to just click on the one that they think it is. But you might get it wrong.
There's been a staggering increase over the recent years in the amount of email that's sent to the wrong person. If you look at the quarterly reports that the ICO publish on the topic, misdirected email is up there among the major causes of data leak incidents, above malware and phishing.
And in fact, some of the things we've done in our secure email solution are about gently nudging people to remind them to think about this stuff. They can then simply click a button to send their email securely.
Is encrypted email enough? Is authentication a must?
Unless you are triple-checking or using systems to authenticate your intended recipient and gating their access to message information through that authentication, you're simply not securing 100% your comms. You need to know the message can only be opened by the right person.
From our perspective, the ability to revoke access and gate access to that information through an authentication process easily is what we want to make accessible. If it's not easy, you're not going to use it. From all our research, we know that if it's not easy, people just send something in the clear and leave it hostage to that world of cybercrime.
There are other tools out there for confidential communications - what's wrong with them?
We're in an online world, like it or not- I hope like it, in most cases. But confidential communications are, and have been, broken for an awful long time- of course, digital channels come with a lot of risks. But we've all been trying to strike this balance between ease and security.
There are lots of different methods that are employed to try and enable safe communication with customers digitally. But fundamentally, those systems are either secure but make it difficult for customers to engage with their information, or make it easy for customers but they're not secure. And that is the area that we're trying to make sure is resolved.
Digital is the way forward, like it or not it is the way forward, and customers overwhelmingly prefer email. We just needed to secure it in a way that felt like it was still email as we know it.
Have confidential comms been held back by regulations?
You know, there are so many regulatory demands placed upon the whole industry, but they are there to protect our most valuable data.
Whether that's MiFID II you know, authenticated delivery to the right person, whether that's the ICO, you know, stating that you have to encrypt sensitive data. Or, layering on top of that, the fact you've not just got to encrypt but make sure it gets the right person, or whether it's FCA and the auditable aspect of delivering information and making it easy to access... these regulations are all there to ensure sensitive data is safe.
What we need to do now is make that as easy as possible to adhere to - that's where companies have been held back in the past. Everything we're doing with Mailock secure email is about trying to make it as simple as possible to adhere to those regs, without putting barriers in the way.
Do you think financial services product providers have missed a step in terms of easing that customer communication?
If you're a product provider in the market and you're able to look in on the types of communications you're receiving from your customers, I think that it wouldn't be a surprise to understand that the largest majority of action, immediacy, is requested by "can you email that to me?"
You know- "I need some information. I need it now." People want gratification quickly. They want data quickly. And the technologies that are out there, without in any way suggesting that they shouldn't be there because this is all about providing information in the way people want it, aren't adequate. In portal world, well, we know that there have been a number of pieces of research that show customers overwhelmingly are dissatisfied with or unengaged with those kind of platforms.
We work a lot with financial advisers - are they seeing similar kinds of issues to providers?
So we've been championing the adviser community for quite some time, and that will continue because advisers need to focus on the things they're good at - advising and not high friction technology, which I'm afraid has tended to be a phrase used with other secure email solutions.
We wanted to make secure email easy. Professionals need to be able to deliver sensitive information easily and quickly to the right person. And whilst there's always going to be a place for portals, they are notoriously low engagement and high friction methods of communication. Playing to that consumer demand and helping advisers solve some of those problems is something we talk about on a daily basis.
Are there still a lot of companies posting documents? Is that something you think will change?
Post is going to be with us forever. There are some people that are going to need it, and there are instances where that might be absolutely the right thing, certainly if that's what the consumer demands.
But all of the research, I mean, everything is pointing to the fact that (and I suspect partly driven by COVID), there's been a persisting theme of digitisation - "I want convenience and stuff pushed straight into my inbox." All of the research says that consumers, me included, want this information simply delivered straight into a convenient place.
For most people that's somewhere that they've held for over ten years, in my case, probably 20 years - an email address that's persisted, for me, for longer than my home address. So I don't think there's any doubt that secure digital comms are going to become more prevalent.
How does secure email fit into the everyday life of someone like a financial adviser?
If you're looking at a day in the life of an adviser, I suspect there's an awful lot on their agendas. You know, we're talking about technology here, but you almost want that to be the least of your worries with the regulations and everything that goes alongside being an advisory business.
We wanted to make it just really easy. Just, you know, press a button to secure your comms and also gain the trust and advocacy of your clients. And from those clients, the feedback we've had and continue to have, is in stark contrast to before. You know, comments like, you know, "oh securing email's really difficult", was what we used to get in the context of other solutions. Mailock secure email is simple. So, you know, it fits into an advisers day-to-day by making secure comms really easy.
When boards are cutting budgets, how do you make secure email a priority?
Whether you're a provider sending out many millions in some cases of pieces of correspondence or dealing with, you know, a handful of customers each week, the cost implications of reducing print, pack, and post are phenomenal. Of course, then you also get the expedience associated with immediate delivery, the regulatory tick box of proving it's got to the right person, and the data security peace-of-mind.
You know, all this ripples through immediately to someone's bottom line - their bottom line financially, from a service level perspective, and of course, their carbon footprint. We've spent a lot of time and money trying to really get to the bottom of that whole carbon thing because of course, there's carbon involved with anything that's electronic but the upside of using the solution is so extraordinary, it's a no brainer.
What kind of savings are companies looking at financially then?
It's really hard to estimate the savings that you can glean from digitising these sorts of things. I think it's something like 95% but I'd actually be amazed if it's not a number a reasonable amount higher than that.
If you just logically think about when you produce a document (which you do, whether you're printing it, packing it, and posting it or putting it into an email) there can be no comparison between transmission of an email and having to print out that piece of information, put it in an envelope, and deliver it, and the whole infrastructure around that.
Aside from all the other virtues of the system, there can be no more compelling argument than saving your company money and making a positive contribution to saving the planet while you're at it.
Is there anything else you'd like to say about outbound email security?
Yeah, I think the key thing to hammer home is that you, sort of, start with wanting to make sure your data is secure - that's the key thing. In a world where our technical estates are distributed and remote, you need to be protecting the data you send out into the world.
But then you get all these other benefits. You've got the engagement aspect - which is massive. People know email, and more than any other channel that's where they want communications from businesses. You've also then got the paper-saving carbon and financial benefits, which can be huge if you're an enterprise organisation.
I'd really implore people who have used secure email systems in the past and thought they were too difficult, to try Mailock. We've worked really hard to make the system easy to use and to accommodate all the different types of people that might want to use it to connect - you know, Outlook users, financial professionals, large businesses - we have ways of tapping into Mailock that cater to all those needs.
So yeah, please protect your outbound emails is what I'd say. It's what the regulator demands in terms of data protection, but it's also what your customers want, and you'll see all those other advantages.
Originally posted on 22 06 23
Last updated on July 28, 2023
Posted by: Sam Kendall
Sam Kendall is an expert researcher, editor, and marketing specialist. He has worked with B2B brands for almost a decade helping them to refine their digital strategy and streamline ground-level implementation. Sam is passionate about new developments in user experience, demand generation marketing, and customer communications.
Get live updates
Subscribe to our exclusive secure communications content for professionals in regulated sectors.