Email as we know it today has been around for 50 years. And while it has evolved in that time, it is essentially still the same thing using the same...
How Secure Is Email, Really?
Gain insights into the various approaches your organization can adopt to minimize risks and strengthen its email security measures.
When email became a standard channel of business communications — alongside the telephone — in the mid-90s, the world was quite a different place. Most businesses did not need to understand how secure — or insecure — email really is. Nowadays, the internet is no longer in its infancy. Instead most businesses have now integrated technologies into their operations and cybersecurity is a major concern for most private enterprises. Today, 59% of organizations report more sophisticated attacks against email communications, which means email is no longer all that secure.
Following more than two decades of rapid adoption of new digital technologies in all sectors, protecting private information — especially personally identifiable information (PII) — from breach or exposure has become a responsibility every business must address with a proactive strategy.
To address this concern, organizations must understand how most successful data breaches occur. Nearly all data breaches — 82% — originate with human activity. The three most common attack methods for manipulating human actors are:
Attackers pose as colleagues or service providers to get employees to reveal sensitive information such as account credentials. In 2022, 255 million phishing attempts were reported, a 61% increase over previous year totals.
Attackers attempt to extort victims for stolen data such as customer financial information. Among companies with at least 250 employees, 70% report experiencing ransomware attacks.
Attackers imitate websites or email domains to capture sensitive information. Nearly half of the reporting organizations have encountered spoofed email domains.
While these attack methods vary in detail and sophistication, each can target sensitive information stored or sent over email. Simply put, defending your organization against data breaches means securing — or replacing entirely — vulnerable email-based communications.
Email Remains Highly Vulnerable to Data Breaches
The 21st century has seen an exponential rise in cybersecurity threats, with email becoming a key attack vector for cybercriminals. Today's digital threat vectors are far more pervasive and sophisticated than when industries first embraced email in the '90s.
The 2023 Allianz Risk Barometer, an annual survey conducted by insurance titan Allianz Global Corporate & Specialty (AGCS), identified data breaches as the most critical global risk facing businesses in 2022, ranking breaches above:
- Climate change
- Labor shortages
- New global financial crisis
But why are data breaches such a chief concern? For starters, the incident rate is on the rise, as reported data breaches in private enterprises showed a 41% increase in 2022 over 2021 totals. Additionally, breaches are becoming more costly to victim organizations, with the average cost of a data breach now totaling $4.45 million (USD) — a 15% uptick since 2020.
Yet, despite the growing threats — 75% of companies now report experiencing a successful email-based attack in the last twelve months — most continue to use email as their primary channel for exchanging sensitive information. This over-reliance on email underscores the pressing need to evaluate its security and develop robust defenses.
Ways to Make Email More Secure
Businesses can employ several tactics to mitigate risks and enhance their email security postures. These include:
Encryption converts plain text into a code unreadable to everyone except those with the decryption key, significantly reducing the risk of unauthorized access to sensitive information. By default, the most popular business email platforms such as Gmail and Microsoft Outlook use transport layer security (TLS) to encrypt email data in transit but not in storage. To protect email contents end-to-end and in compliance with the FTC Safeguards Rule, users must enable optional secure/multipurpose internet mail extension (S/MIME) encryption.
Password Protection for Files
Password-protecting files add another layer of security, ensuring that only authorized individuals can access open attached files.
Multi-Factor Authentication (MFA)
MFA requires users to provide two or more forms of identity verification before they can access sensitive data or systems. Even if a phishing attack manages to compromise one factor (e.g., a password), the attacker would still need the other factor(s) to gain access.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is an email validation system for detecting and preventing email spoofing. These systems check incoming emails against a directory of authorized IP addresses, determined by the domain's administrators.
While these measures can reduce an organization’s risk profile, successful breach prevention still relies on properly training all users and implementing rigorous enforcement policies. As such, the most impactful action may be to consider alternatives to email entirely when dealing with highly sensitive information.
Best Practices to Defend against Data Breaches: Secure Document Portals
While many companies are willing to look past email’s inefficiencies — such as trawling through email threads or hunting for attachments — decision-makers cannot afford to overlook email’s inherent security risks, especially when handling clients’ personally identifiable information (PII) or personally identifiable financial information (PIFI).
Among alternatives to email, the best option for most organizations are secure communication platforms or document portals, specifically designed to handle sensitive data. Within such platforms, developers or client IT teams can set information security standards, organization-wide and for all users. Standards may include:
- Bank-grade 256-bit end-to-end encryption for data in transit and in storage
- Advanced user provisioning to prevent the use of outdated or low-quality credentials
- SOC 2 Type 2 compliance by the company providing the service
In addition to the enhanced security they provide, secure document portals also enable efficiency and visibility in labor-intensive processes like client document collection in banking and financial services. With all client documentation in a single secure repository, clients and their representatives can directly monitor progress in time-sensitive processes and configure automated notifications to avoid missed deadlines.
Efficient, Secure Document Collection with FileInvite
FileInvite’s secure document collection platform provides a one-step solution to the security challenges and liabilities of email for handling PII and PIFI. With the highest-grade encryption and compliance standards, FileInvite gives you and your clients confidence in the security of your data.