Human error is the #1 cause of cyber security incidents. Enterprise businesses are protected from external attacks, but are they missing a piece of the IT security puzzle - themselves? Outbound email security may be the solution they need to secure their data.
Firewalls, antivirus, phishing protection - cyber security is most often focused on protecting businesses from the outside-in.
Outbound security can be thought of as 'inside-out' protection for the communications we send out into the world.
Outbound email security protects the data and documents we send over email. By utilising advanced encryption and authentication, outbound email security solutions ensure confidential messages and attachments are safely delivered.
The technology behind email was created at the Massachusetts Institute of Technology (MIT) in 1971.
Though email has developed into a global communications standard, the level of security has not evolved since.
As with any information delivered via the internet, emails travel through multiple nodes in a network. With access to any of these nodes, an email's contents can be uncovered.
If you're the CEO of a company, your emails can be read by anyone who has access to your (or your recipient's) IT infrastructure.
Think of your standard emails as a postcard you send through the mail. Anyone who comes into contact with it - the postman or in the sorting office - can intercept, read, and manipulate it.
If your postcard contains secrets, those secrets are exposed. That's why we call standard emails containing sensitive information 'open-risk emails' – because they are open to a multitude of risks.
When an email contains sensitive information sent by an enterprise business, the data sensitivity goes beyond that of a secret postcard.
Enterprise emails could include high value contracts, proposals, valuations, or identification documents. If any of this information is sent by open-risk email, it is at risk of exposure, as is your business.
There's a greater risk to your business emails — employees.
Most of your colleagues will be aware of the kind of data they shouldn't send over email. Yet, "knowing" isn't necessarily "doing".
Email is the primary medium for interactions between businesses and customers. Whether by ignorance, accident, or negligence, cybersecurity best practices can fall by the wayside, especially at times of pressure.
A Society of Human Resources Management study found 35% of employees reported feeling tired or having little energy while working from home - and tired employees are more likely to make mistakes.
And that's the thing about open-risk email - with the best intentions and cybersecurity training, humans can still slip up. In an era of remote working, sending the right email to the wrong person is too easy.
It's no wonder that sending a sensitive email to the wrong person is the most common cause of data security incidents.
You can easily protect your outbound enterprise emails against the risk of interception and human error.
An outbound email solution can enable you to:
Follow the best practices in this guide to make sure any confidential emails and attachments you send are protected.
So, there are two key threats to data sent by email:
Let's take a look at each in a little more detail.
Email interception is where a third party intentionally gains access to an email and the information it contains. This usually happens at one of the following four points on an email's journey:
Although all of the above can be password-protected, this is not enough in an era of rising cybercriminal activity. It only takes 10 minutes to crack a 6 character long, lowercase password (depending on processing power).
Human error includes non-cyber mistakes such as:
There's no amount of training that can prevent all employees from making these errors and exposing sensitive information to the wrong person.
Human error is the most common cause of data breaches, estimated to be the driving factor behind 95% of successful security attacks.
The unintentional disclosure of sensitive information can be costly.
According to IBM research, a data breach costs businesses an average of $4.45 million. This is made up of regulatory fines , business interruption, asset loss or compromise, and reputational repair.
For an enterprise business, a cyber attack can be the difference between business-as-usual and bottom-line impact that lasts for years.
Outbound email security is key to protecting sensitive data so it remains intact, unmanipulated, and unseen until it reaches your recipient.
When you’re looking at outbound email security, you want to make sure it covers every part of an email through its journey. That means:
Each of the above must be included in the encryption provided by your chosen security solution for robust protection.
It's important to consider that implementing some outbound email security solutions may introduce some technical complexities for your IT team and potentially require user training.
Additionally, compatibility issues can arise if recipients lack compatible software to access encrypted messages.
The Information Conduct Authority advises that outbound customer information should be encrypted to ensure secure processing.
Encryption works by disguising your email messages and attachments by turning them into code that is unreadable to human eyes.
It does this by utilising ‘keys’ that encode and decode the contents of your emails based on an authentication challenge. With advanced encryption (e.g., AES-256), a third party who does not possess a key cannot access the data, meaning brute force attacks are simply out of the question.
Not all encryption standards are alike. The encryption used by email providers is not enough to guard against the most common threats.
There are two main types of email encryption to be aware of:
Encryption-In-Transport:
Also referred to as Transport Layer Security (TLS), this is the encryption offered natively by most email providers.
TLS works by encrypting the connection between you and your recipient, securing your messages as they move between email providers.
However, emails are only encrypted during transfer. They have no protection when at rest on a server or in an inbox, leaving data vulnerable.
TLS encryption also requires both the sender and the recipient to be TLS compatible for the email to be sent securely.
End-To-End Encryption:
With end-to-end encryption, emails are encrypted on your device before being sent and only decrypted after reaching the right mailbox.
End-to-end encryption doesn't have the same vulnerability as TLS, as only the sender and receiver receive the keys that can decrypt the contents of the email, preventing third parties from accessing your message at any stage in its journey, at rest or in transit.
Any business sending sensitive information by email should make sure messages are encrypted throughout their journey with end-to-end encryption. You should also be aware of the algorithm used.
Encryption Algorithms
Whereas encryption is the method (information disguised using code), encryption algorithms are the formulas used to encode and decode your emails.
There are three main algorithms to consider:
DES:
One of the first digital encryption algorithms, DES is now outdated in its original form. Instead, some companies use triple DES, which involves utilising three individual 56 bits DES keys, adding up to a total length of 168 bits.
RSA:
A form of asymmetric encryption, the RSA algorithm provides the sender and receiver two different keys with which to encode or decode emails.
Although this makes it considerably harder to crack, it also means that it is significantly slower to use, with the encryption and decryption process taking a long time to complete.
AES:
AES is a form of symmetric encryption that provides the sender and receiver with keys to encode and decode emails.
AES is believed to be extremely efficient, providing keys in 128, 192, and 256 bits which are extremely resistant to all attacks. It is also easier to implement into your systems, along with the encryption and decryption process being much faster than RSA.
Although encryption goes a long way to prevent email interception, it doesn’t stop human error, such as sending an email to the wrong person.
An additional layer of authentication for outbound emails verifies the digital identities of your recipients before they can gain access. Even if you send a message to the wrong person’s inbox, they can’t open it.
Authentication types can include an SMS code sent to your recipient's phone, a secret question and answer, or another form of digital ID.
Multi-factor authentication (MFA) is becoming the standard for account logins (for example, in banking and finance). Email should be treated as no less critical to protect if it is used to communicate with customers.
Research estimates MFA is able to block 99.9% of automated attacks.
Authentication Types
Single-factor authentication:
This is the most basic form of authentication – a username and password is required to gain access (e.g., your email account login details).
The drawbacks of single-factor authentication are well-known: the ease of breaking passwords by brute force, guessing passwords, or simply gaining access to devices already (or always) logged in.
That's why encryption may not be enough. If someone cracks your password, they have access to all your emails.
Multi-factor authentication/Two-factor authentication (MFA/2FA):
Multi-factor authentication is the addition of an extra layer of defence, with individuals needing to pass an identity challenge of some kind.
Identity challenges could include:
- Something you have:
- For example, inputting an SMS code from your mobile phone.
- Something you know.
- For example, answering a private security question.
- Something you are.
- For example, providing biometrics such as a fingerprint.
Multi-factor authentication for email ensures two things:
1. Any emails that are sent to the wrong person can’t be opened.
2. If someone gains unauthorised access to your recipient’s inbox, they still can’t read the sensitive message without passing an identity challenge.
When you make a mistake, don’t you wish you could take it back?
Some secure outbound email solutions offer a last-resort revoke function. This means that even if you haven't used multi-factor authentication to protect a secure email, you can block access remotely.
Some outbound email security solutions also offer data loss prevention (DLP) capabilities, which can help prevent sensitive information from being accidentally or maliciously sent outside the organisation.
When you send the wrong email to the wrong person, revoke helps you retrieve it from their inbox. This prevents sensitive data falling into the wrong hands before too much (or any) damage is done.
Email providers such as Outlook offer built-in recall capabilities that work in many instances. Outlook’s basic recall feature will work if:
Need to recall an email in Outlook? Read our handy guide.
It’s important for companies to maintain audit trails for digital communications. This helps them to keep track of any information being exchanged for business intelligence or regulatory compliance.
Audit trails are essential for meeting regulatory requirements. Industries such as financial services, medical and IT are especially highly regulated as they are custodians of our sensitive data.
For example, to receive and maintain ISO 27001 accreditation, it is vital to keep track of the volume and nature of personal data being processed, plus any metadata (the file's creation data and history).
When auditing your email communications, you want to record a number of key fields:
Some outbound email protection is available from your provider.
For example, Gmail and Microsoft Outlook include basic TLS encryption and email recall abilities as part of their core offering.
Of course, businesses that regularly deal with sensitive data will need to consider a more robust system that fits their tech stack.
Outbound email security solutions can be a valuable tool for meeting compliance requirements in industries with strict data security regulations, such as finance or healthcare.
There are a range of secure email services dedicated to outbound email security that support enterprise use cases.
The most important things to consider when looking at what’s on offer, are the encryption method, encryption algorithm, and authentication type.
Use this guide as a framework to find a solution that’s right for you.
Here’s some key questions to ask as you’re comparing products:
The History of Email, The Guardian
The Cyber Security Risks of Remote Work: Safeguarding Your Home Office, IT Governance, 2021
Data Security Incident Trends, Information Commissioner's Office
Password Statistics, DataProt
Overcoming Human Error in Email Security, UKAuthority
Cost of a Data Breach Report, IBM
256-bit Encryption and Brute Force, Security Stack Exchange
Human Error and Security Attacks, Security Magazine
Multi-Factor Authentication and Security, Microsoft
The Best Encrypted Email Services, Heimdal Security
Sabrina McClune, 19.06.24
Sam Kendall, 19.06.24