Reports of cyber-attacks in firms countrywide are becoming all too frequent. The source of cyber-attacks is predominately through email ‘phishing’.
Phishing occurs where the recipient firm receives fraudulent communications that appear to come from a reputable source. The purpose of these emails is to obtain sensitive data, such as credit card and login information, or to install malware on the recipient’s system.
These attacks can result in financial loss for firms and serious data breaches.
There are a number of solutions to protect email data. In this note, we briefly discuss two solutions: secure email systems, and encrypting email attachments.
Secure email systems
Secure email systems require the sender and recipient to install the same end-to-end encryption software product. Encryption software prevents the email from being intercepted. Encryption is a security method of protecting data sent between parties. Keys are used to encode or lock data (encrypt). Encoded data can only be unlocked or decoded by the encryption key.
A secure email service is the easiest way to keep emails private. Not only do they guarantee secure and encrypted email, they protect anonymity. If even more anonymity is required, the email account should be set up behind a free anonymous web proxy server, or a virtual private network.
‘Public key infrastructure’ (PKI) works by using two different cryptographic keys: a public key and a private key. The keys lock (encrypt or decrypt) the data it transmits. The public key is available to any user that connects with the website. The private key is a unique key generated when a connection is made and it is kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key.
PKI in operation
Secure email software tends to be cumbersome to download, plus both parties need to be on board to download the same system.
To assist practitioners, we have set out a non-exhaustive list of secure email suppliers, plus the key features of each supplier. These are not recommendations, and we suggest that practitioners carry out their own due diligence in respect of these and other suppliers.
|
Security suppliers
|
Key features
|
|
Barracuda
|
Provides a range of products, including all-in-one security backup and archiving, AI protection from spear-phishing, and secure archiving
|
|
Smart Lockr
|
Offers a secure mailing option. It permits the emails to be encrypted and tracked. Pricing for the above two is user dependent, and they insist on an evaluation before quoting
|
|
Sprambrella
|
An anti-phishing and anti-impersonation piece of software that filters all inbound emails for spam viruses, malware, phishing attacks, and more. It examines hundreds of thousands of attributes in every email to accurately detect text, image, and attachment-based spam or phishing emails
|
|
Tutanota
|
Describes itself as the world’s most secure email service. It claims to have end-to-end encryption with complete encryption – that is, subject, body and all attachments. It is an open-source software based in Germany. Business use starts at €12 per year, and ranges up to €60, depending on requirements
|
|
Proton Mail
|
Offers secure email, based in Switzerland. It boasts status security and neutrality, and also end-to-end encryption. Proton Mail is also open source.
|
Encrypted attachments
Sending encrypted attachments may be the easier of the two solutions for practitioners. However, this system is totally pointless if the password encrypting the email is disclosed in the same email, or in a later email.
There are different methods of encrypting Word, depending on which version you are using. With Word 2010/2013, you encrypt a Word document by following these steps:
- Click ‘file’,
- Click ‘info’,
- Click ‘protect document’,
- Encrypt with password.
Practitioners should keep the following in mind when encrypting attachments:
- Follow the steps to encrypt the email attachment on your Word document,
- Use a strong password with at least eight characters,
- Passwords should contains at least one uppercase letter (A-Z), at least one lowercase letter (a-z), at least one number (0-9), and at least one symbol (such as !@#$%^&*_-+=),
- Call the recipients directly and give them the password, or
- Text the password to the recipients’ mobile phones, or
- Snail-mail the password to your recipients, and
- Never include the password in the email containing the attachment.
Summary
Both email sender and recipient need to install the same secure email system. It requires buy-in from both providers.
At the very least, practitioners should consider encrypting attachments containing sensitive data. Passwords should be treated as sacred. Never send passwords out with documents.