eCommerceNews New Zealand - Technology news for digital commerce decision-makers
Story image
Cyber criminals continue to target email: How you can stay safe
Tue, 27th Oct 2015
FYI, this story is more than a year old

Cyber criminals are becoming much more advanced, and making it more important than ever for individuals to protect their email communications.

According to BAE Systems Applied Intelligence, criminals have expanding their activities from credit card data theft for immediate gain to going after personal data that they can monetise for weeks, months and even years.

The company says email remains the central mechanism for communications in both work and personal settings, transferring significant amounts of sensitive data frequently.

When it comes to a business, this can include market sensitive information and personal information and intellectual property (IP), yet most businesses aren't taking adequate measures to protect their emails, BAE Systems says.

The average employee sends and receives about 110 emails each day, or 29,000 emails per year.

Of these, one in 20 might contain sensitive data. This means that a company with 100 employees creates or handles 145,000 emails with sensitive data each year.

That sensitive data can become a major problem for organisations if the emails containing them are hacked, intercepted, or accidentally sent to the wrong recipients, BAE Systems says.

Adrian Blount, BAE Systems Applied Intelligence director cyber security solutions ANZ, says, “Everyone uses email. Not just to communicate, but often as a place to keep important information.

“Email presents companies with serious ‘insider threats'. It only takes one honest mistake by an employee or one dodgy link in an email to lose that precious information.

“The preventable situations are the frequent, innocent leaks that happen via email as a dedicated, if ignorant, employee just goes about his business. It's the mistakenly attached spreadsheet with personal customer data.

“It's the confidential email sent in error to everyone in the database. Those employees didn't mean to do it. And they'd love to have the click of that mouse back.”

BAE Systems Applied Intelligence recommends four key strategies to help prevent sensitive information from being leaked via email:

1. Measure violations and set targets

It's impossible to manage something without first being able to measure it, the compay says. Tracking and reporting on questionable email usage over time and monitoring activity across individual workstations is an important start.

This can be done with email Insider Threat Prevention (ITP) technology, which can spot specific violations of internal policies, according to BAE systems.

2. Filter sensitive information out of email

Companies are often concerned with incoming traffic and protecting themselves against viruses, worms, and botnets.

While those are important, critical information flowing out of the organisation represents the greatest risk, says BAE Systems.

Companies need a solution that can help block, quarantine, redact, or automatically encrypt sensitive messages, including content-aware policies that, for example, recognise credit card details within an email and don't allow the email to leave the organisation.

3. When in doubt, encrypt and notify

Often it's simpler and faster to encrypt an outbound message and notify the sender of the encryption than it would be to involve the message in timely quarantine activity, the company says.

4. Communicate your email policy

If staff do not understand internal email policies, then they cannot be expected to follow them correctly.

A good starting point is partnering with a member of HR to write a simple memo explaining the policy. Creating a policy can be a delicate process, as a good policy needs to be brief and concise, without being too vague.

One of the biggest risks to businesses is the threat of employees who accidentally or intentionally leak data.

Despite internal protocols and education, email is still a major source of information breaches.

Through a combination of measurement, content-aware policies, encryption techniques and email usage guidance for staff, companies can be more secure against insider threats, says BAE Systems.