Email is the most widely used method of communication in the world. The number of emails sent and received daily will reach almost 300 billion in 2019, and the number of active email users will reach almost 4 billion in the same year, according to technology research company Radicati. There’s a reason the ageing protocol is so entrenched in how we communicate: it’s simple, works in every browser, and most importantly, everyone has an address.
But many of the things that make email great, also make it a difficult avenue to secure from an information security perspective.
Email is used for both professional and non-professional communications: a highly classified email to a client may be immediately followed by one to a spouse about dinner. Add to this that these two emails can often be sent from the same work email account for the sake of convenience, and the likelihood of confidential data being leaked due to a slip up increase exponentially.
Slack messages can be sent to slack users, Signal messages to Signal users, and Whatsapp to Whatsapp. Unlike most other messaging platforms, there’s no need for two people to be using the same email client, protocol, or provider for communication to be possible. Of course, this seamlessness comes at a cost: it is much more difficult to develop a complete security solution for a channel with as many front-end standards and configurations as email has.
“The protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard(…)”
Since its inception in the 1970s, the underlying technology behind email has remained the same, which makes it very easy to develop for and implement. It also means the protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard, including the ability to easily redact or recall, and encryption-by-default. To make any major changes to how the email protocols function would require a near-global consensus.
Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets, watches, even car dashboards. This ease of access has exponentially increased the volume of emails exchanged, as well as changed how people treat emails, sending emails on the go. This, in turn, raises the risk of emails being misaddressed, as people type addresses out in a rush on their phones.
An inbox often contains a wealth of information spanning an employee’s entire time spent at an organization. While much of this may not be confidential, the fact of being able to access huge amounts of information from a single source exponentially increases the likelihood of a “careless forward”.
Recent statistics on data security highlight that individual human error accounts for most data breaches, and show that the current school of thought surrounding information security is incomplete. Email offers numerous benefits – namely speed, ubiquity and simplicity – but it’s also one of the single biggest threats to an organization and its data. In addition to this, the ICO in the UK recently reported that misaddressed emails were the number one type of data security incident reported to them.
While a growing number of enterprise processes are now being automated, email communication is currently still almost entirely reliant on people, which makes it vulnerable to human error. No matter how well established the organization, and how experienced and security conscious it’s employees, it will still be run entirely by people. And people are fallible.