IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
How safe are your emails? An expert breakdown
Thu, 12th May 2016
FYI, this story is more than a year old

Since the concept of email was first floated in the 60s, it has exploded onto the scene, becoming an absolutely crucial part of everyday business and personal lives. It's hard to imagine how we'd survive without it.

“It's simple, convenient and ubiquitous but the simplicity hides the global and complex infrastructure behind it,” says Jay Haybatov, CEO of Dekko Secure. “People think that their messages travel from their device to the recipient's but the reality is much more complex.

According to Haybatov, the standards for email that are used today were created as early as 1982, but it wasn't for public use and therefore no one really cared about security.

“Just for comparison, the first website appeared 18 years later, in 1990,” Haybatov says. “The email standards were created when nobody thought about the Internet as a place for billions of users and millions of businesses.

Haybatov assures that while various security measures have been put in place over time, email still suffers from several unresolved problems, which include:

  • Most email is sent in plain text. Attachments can be accessed when the email messages are stored on the email servers, even after being delivered to their recipients.
  • It takes only a few seconds to send an email message that looks like it was written on behalf of your bank, Barack Obama, or Julius Caesar – no hacking skills required. What if you received an email from your children's private school about a change in banking details? There is no way to verify the authenticity of such a message, except to check it with the school directly.
  • You never know whether your message achieved the intended recipient. What if it was a tender application for a big contract?
Why emails are a prime target for hackers

“There are a number of tools in the average hacker's arsenal, including botnets, spam, DDoS attacks, identity theft and Cryptolocker,” says Haybatov. “Email offers a very cheap way for cybercriminals to reach mass audiences.

Some of the most dangerous ways that email can be misused include:

  • Distributing viruses that encrypt users' computers and request a ransom for a password to restore the files
  • Spreading Trojans that turn users' computers into part of a large botnet used for attacking networks and websites of companies for ransom or for competitive advantage
  • Extracting personal information, for example, financial information from tax
How big is the problem?

Haybatov affirms the problem is diverse and widespread.

“For instance, around 75% of email traffic is believed to be spam and some botnets contain millions of infected computers,” Haybatov says. “The use of compromised accounts to send fake emails with viruses, Trojans, Crypolockers or links to harmful sites on behalf of the account owner is becoming more sophisticated. People tend to trust emails from the known accounts, which makes them more dangerous, particularly when you have banks using email to allow customers to reset their passwords or internal business emails that request for payments to be made.

How can we defend ourselves?

A common solution that is recommended to email account holders is to change the password. While having a more complex password does minimise the threat of direct account hacking, Haybatov stresses it is not enough.

“Security solutions need to be all-encompassing and businesses must ensure they take the proper precautions to protect consumer data,” Haybatov say. “The general trend in Europe is towards giving the customers an option to control what sort of personal data the businesses require and can access. European legislation forces businesses to protect customer data including emails, or face huge penalties (up to 10M Euros) and Australia and New Zealand should follow suit, including immediately disclosing all customer data leaks.

According to Haybatov, businesses need to think beyond perimeter protection, amd adopt solutions that protect data itself using robust encryption technology.

“Focusing on solutions that provide end-to-end uninterrupted encryption is also critical,” Haybatov says. “Most email providers do not provide that at the moment because customers are not demanding it.