It’s time to put outbound email security under the spotlight – the pain points and the remedy

With inbound email risks such as malware, phishing, and ransomware regularly making the news headlines – and often being the focus of staff cybersecurity training – a reasonable level of awareness and understanding has been reached

By contrast, the risks associated with outbound email are little understood as, before now, they have been given limited attention. This imbalance needs to be urgently addressed, however, in response to the fact that outbound email security is one of the biggest challenges facing digital organisations today.

Email has become a universal tool of communication due to its simplicity for sending messages anywhere to anyone. Testament to its success, over 300 billion emails were sent and received each day in 2020 – a staggering number, which is forecast to grow to more than 347 billion by the end of 2023! But such widespread use also yields a massive threat surface, exacerbated by email’s origins being based purely on technical standards, with no regard to security. It is perhaps unsurprising then that email is now the biggest source of data leaks by organisations worldwide. The most frequent cause? Human error. Employees inadvertently emailing sensitive information to the wrong person, for example. A simple mistake (one that we’ve all been guilty of), but – accidental or not – it has potentially devastating consequences for the entire organisation. Loss of customers, damaged brand reputation, and a hefty financial penalty due to non-compliance with data protection laws, to name but a few.

The pandemic-prompted increase in remote working is only making things worse as people are (sometimes literally) left to their own devices. More errors are inevitable due to longer screen time, plus the likelihood of their home email set-up being less secure than office-based systems.

To address these shortfalls in outbound email security, it is necessary to protect digital communications at each stage of the journey: before, during and after each email is sent. Solution capabilities must therefore include two-factor authentication, ensuring that only intended recipients can access secure messages; transport security with DANE (TLS does not solve all security risks) to secure the connection between the sender and the recipient (so that no one else can intercept communications); and asymmetric, zero-knowledge encryption, to ensure that not even we (the solution provider) can decrypt the information. Organisations should check this point before purchasing a solution, as nearly all outbound email security providers maintain a copy of the customer organisation’s access key in their infrastructure, meaning that claims of keeping data confidential are actually untrue.

Staff productivity and usability are equally important factors in the quest to optimise outbound email security. It is therefore necessary to choose a solution that integrates seamlessly with existing environments, such as Outlook (desktop and Microsoft 365) and Gmail. This will enable employees to continue working in their usual way, aided by non-intrusive data safeguarding alerts that have the added benefit of raising security awareness throughout the organisation.

To help illustrate the need for – and value of – watertight outbound email security, as organisations navigate their COVID-accelerated digital transformation journey, I would like to share with you details of a recent development in the Netherlands. In April last year, there was an emergency

ordinance issued that all law firms and bailiffs were, from then onwards, encouraged to use secure email for communication, instead of faxes and letters, for at least the duration of the Coronavirus pandemic. This initiative reflected the enforced shift to working from home, where most people do not have a fax machine. Secure email is a fast deployment alternative to faxes and postal mail, enabling the safe transfer and exchange of personal information within digitally signed, legally binding documents. (Since the new ruling’s introduction, more than 70% of all lawyers have started using our secure digital communications platform to comply.) As a result of this change, the annual cost savings anticipated by replacing fax, letters and couriers with secure email across the Dutch Judicial System is £2million.

Organisations in many other sectors – including financial services, healthcare, government, and insurance – can access the same benefits by switching to digital communication only, as long as they apply a best practice solution to safeguard all data that is sent by email.

Broadly speaking, the remedy for outbound email’s security pain points is for organisations to strike the right balance between security and usability – to provide staff with easy-to-use digital tools that won’t disrupt their usual way of working. Taking this approach will enable employees to make better and safer decisions when sending sensitive information via email, which – in turn – will reduce data leaks; ensure compliance with ever-evolving data protection laws, and also instil trust among customers and citizens in respect of the safe handling of their personal data.

About the Author

Rick Goud is the CIO of secure digital communication enabler, Zivver. Before co-founding Zivver, Rick spent six years as a healthcare consultant for Gupta Strategists. While there, he noticed a wide range of sensitive data – such as patient information, company performance, and legal documents – being frequently handled by employees. He realised there was a strong need for a secure communication solution to safeguard and manage such data (including for DPA and GDPR compliance) – and shortly afterwards, Zivver was born.

Featured image: ©Production Perig