Email Security: What You Need to Know and Best Practices

Organizations today face a handful of challenges—message interception and manipulation, lack of identity verification, phishing and malware—in dealing with current email security structures. Finding a solution to these challenges is important, but finding the right solution is critical. So, let’s start with the basics of today’s email security landscape before exploring how to take your email security up a notch with end-to-end encryption.

Importance of Email Security: 9 Statistics You Should Know

For far too many businesses, email security isn’t a concern until it’s too late. Often, organizations don’t take threats against email seriously, believing that big data breaches only happen to large enterprises. Because cybercrime has such a huge ROI, sensitive data et even the smallest companies is still attractive to bad actors.

Alternatively, many larger enterprises assume that email security is something that’s already being taken care of—after all, if you have a security policy in place and you take care to remind your employees of security best practices, what’s to worry about?

Your employees’ inboxes are potential gateways to your business, housing confidential information about your company, your employees, and your customers. As data breaches become more sophisticated and more prevalent, a reported 68% of business leaders feel their cybersecurity risks are increasing. 

In order to give you a better sense of the importance of email security and the vulnerability of your data being shared via email, we’ve compiled nine statistics that highlight the risk to your business.

1. Data breaches exposed 4.1 billion records in the first half of 2019.
2. 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively.
3. 30% of breaches involved internal actors.
4. 24% of breaches are caused by human error.
5. 53% of companies had over 1,000 sensitive files open to every employee.
6. 43% of breach victims were small businesses.
7. Share prices fall 7.27% on average after a breach.
8. Supply chain attacks were up 78% in 2019.
9. The average cost of a data breach is $3.92 million as of 2019.

3 Common Risks to Email Security

Email security problems plague organizations of all sizes, across all industries. Why are they so prevalent? Because the corporate inbox is a gold mine for hackers and scammers. Whether you’re a healthcare provider sharing patients’ PHI or a manufacturer sharing product roadmaps and intellectual property, no organization is immune to email attacks. Below are three common risks to email security that every organization should pay attention to.

1. Your password isn’t as strong as you think

Weak passwords are one of the most common email security issues. It’s not enough to avoid obvious passwords like “123456,” “football,” or “password”—using your pet’s name, plus some capitals and numbers, simply won’t cut it. Google has put together a set of recommendations for creating strong passwords.

However, strong passwords can be hard to remember. Enter single sign-on (SSO). SSO is a centralized user (and session) authentication service in which an identity provider (IdP) allows for one set of login credentials to be used to access multiple cloud-based applications such as Gmail, Salesforce, Hubspot, Dropbox, or JIRA.

IT teams can take the security of SSO one step further with multi-factor authentication (MFA). This requires users to present more than one factor of authentication—such as a one time passcode from a mobile app—to ensure the sign-on attempt is coming from the valid account owner, not an imposter. Although MFA exists independently of SSO, introducing the two together as your IT team’s newest tools help ensure the privacy and security of your organization’s most sensitive data.

2. Native email encryption and security only go so far

Gmail is now the most widely used email client in the world. And for good reason— it is a powerful, user-friendly email platform that supports organizations’ need for rapid collaboration and information sharing. Plus, it has some advanced security features, such as TLS encryption and Gmail confidential mode, already baked in.

• Google uses Transport Layer Security (TLS) to encrypt emails in transit. It provides an encrypted pipe through which your emails can travel. But TLS depends on both the sender’s and recipient’s email provider, so it doesn’t always work. To help prevent unencrypted emails from exposure, Google warns users when TLS won’t work; an open red padlock symbol signifies that an incoming or outgoing message isn’t encrypted.
• Gmail confidential mode is a feature that enables users to implement basic access management over their email. This means that users will be able to set expiration dates for messages, revoke access from certain users or prevent actions like forwarding and printing. However, Google still has access to the unprotected plaintext (even after recipient access has expired) failing to meet privacy and compliance requirements of organizations concerned about third-party access to their data. 

Although Gmail’s native security features provide a strong first line of defense for email security, they do have their limits. Gmail’s security can be easily strengthened with an additional layer of client-side encryption, via third-party add-ons.

3. Human Error

Ever sent an email to the wrong person by accident? Mistakes happen. Employees have access to more sensitive data than they should and if this data is mistakenly shared via email, it can easily end up in the wrong hands. To address this, have a clear policy about what should and shouldn’t be sent over email and ensure any sensitive data is encrypted, Better yet, ensure your encryption solution provides the ability to control access to sensitive data throughout sharing workflows. With granular access controls, the next time you send an email to the wrong person, you can easily revoke access.

Take Email Security One Step Further with End-to-End Encryption

End-to-end encryption wraps every piece of data in a layer of protection at all times, not just in transit and at rest; it also ensures that only the sender and recipient can view the contents of an email. This protection stays with your data no matter where it goes, even after it leaves the email platform.

If your data itself isn’t encrypted and relies on TLS encryption, it is at a higher risk of exposure and in highly regulated industries, can lead to compliance issues. Implementing end-to-end encryption helps to ensure that your organization is fully compliant with data security and privacy regulations, such as HIPAA, FERPA, CJIS, ITAR or GDPR.

What is data-centric email security?

End-to-end encryption is at the heart of a data-centric approach to email security. Traditional approaches are tech-focused in that if an attacker attacks, the technology responds. A data-centric approach, however, allows you to protect what is actually valuable—the data.

A data-centric approach to email security should:

• Protect: Ensure that data is safe at all times with end-to-end encryption.
• Control: Further protect data with features such as access revocation, controlled forwarding, and watermarking.
• Audit: Give you a clear view of all interactions with the data in order to maintain compliance.

When you think about what a data-centric approach to email security might mean to your organization and how you are set up—whether its on-prem, hybrid, or on the cloud—consider the lifecycle of your data. Where is it created? By whom? Where is it going? Who’s going to be interacting with it? 

The answers to these questions have different implications for your organization depending on how you’re deploying your solution. So if there’s user-generated or client-side generated sensitive data that needs protection and control, having a seamless, integrated solution on that side is critical. Usability—one of the pillars of a secure email strategy—requires extending the user-experience into what the user knows, ultimately resulting in a higher adoption rate, critical to deployment success.

Key Considerations for Email Security in the Cloud Era

83% of enterprise workloads will move to the cloud by the end of this year. While email is still the primary means of communication for organizations, cloud-based messaging platforms are gaining traction in the modern workplace. Therefore your email security strategy should also provide protection, control, and audit for cloud-generated data. Consider this: 

• Adopt a Zero Trust model—essentially “never trust, always verify”—for data that is of the highest risk. Moving to the cloud or a hybrid model requires an extension of your trust model. By limiting third-party access to unencrypted content, you can defer some of the liability and maintain a lower risk profile.
• Ensure you can fully embrace the benefits of collaboration, afforded by being on the cloud, by maintaining full control of your sensitive data. Taking advantage of a cloud collaboration platform opens up your organization to the promise of increased productivity and allows you to remain competitive in a fast-moving marketplace. But, it also fosters an increase in data mobility and virality. Mitigate this risk with a solution that gives you clear visibility as to where your sensitive data is and who is accessing it.
• Reduce the administrative burden with appropriate key management. Make sure you have an appropriate cost of ownership that does not nullify the benefits of being in a cloud environment. E-management technologies available today help to address this concern.
• Seek out a solution that provides extensibility beyond just email. While email may be your primary means of communication, as the workplace evolves to meet the needs of the digital age, your security solution must be able to keep up to provide persistent protection across email and other applications.

Are you ready to get serious about email security? Get in touch with us or download this free guide to learn more about how Virtru can boost your email security with data-centric protection and end-to-end encryption.