The current consensus among the “cool crowd” of tech pundits seems to be that email is dead. Instant messaging and social networking have supposedly made it obsolete. They’ll tell you that business is moving toward a more “real time” model of communication, and now that even small businesses have easy access to video conferencing, the inbox is a vast wasteland littered with spam and messages from old timers who haven’t caught up with the trend. The logical extrapolation is that email security is no longer as important as it once was.

I beg to differ. There are many reasons email is going to be around – especially in the business world – for a long time to come. It’s not only still relevant; it’s still superior to other communications technologies for many purposes. Email offers obvious advantages over snail mail in terms of cost and timeliness. While email communications can be almost instantaneous, they are often preferable to “real time” technologies such as IM/live chat, audio/video conferencing and the telephone, because email is less intrusive. You don’t have to drop everything to respond immediately, you don’t have to worry about how you look, and you can “sound” confident and professional and articulate even when you’re coughing and sneezing with a cold. Email is also easier to set up and use for users without tech skills.

The numbers don’t lie; far from being an obsolete technology, email continues to thrive alongside newer methods of communication. According to the Email Statistics Report 2011 – 2015 from marketing research firm the Radicati Group, the number of worldwide email accounts is expected to increase from 3.1 billion in 2011 to nearly 4.1 billion by the end of 2015, with the number of corporate accounts growing faster than consumer accounts. Then there’s email on mobile devices. The smart phone and tablet markets have exploded over the past few years. With most U.S. cellular carriers, sending and receiving text messages over 3G/4G costs users extra money, above and beyond the regular data plan – but email messages don’t, and their small file sizes don’t take a big bite out of a capped data allocation.

Another common misconception is that even if your employees do still rely on email, by now everyone knows and follows safe email practices so you don’t have to worry about those threats. Unfortunately, if you make that assumption, you’re taking on a big risk. Today’s workforce is full of people who don’t like adhering to rules that inconvenience them, if they’re even aware of those rules in the first place. Email security is as important as ever – maybe more so in a business environment that’s increasingly regulated, while exposed to attackers who become more sophisticated every day.

If your company is part of an industry that’s subject to governmental or industry compliance mandates (and new laws and standards are putting more fields into that category each year), taking steps to secure your email is no longer just a good idea; it’s something you must do or face heavy penalties.

As handy as email is, it was not originally designed with security in mind. If you think of your internal network as a fortress where your sensitive data lives, email messages are like the tiny cracks and crevices through which attackers can slip in, and every message could potentially be carrying a malicious payload. Going back to the Radicati report, the typical corporate email user receives over 100 messages per day. That constitutes a troubling number of cracks and crevices.

A big part of the problem is that the security threats associated with email are diverse. The objective of some attackers is to intercept the content of your messages to obtain confidential information contained in them. Other attacks are designed to trick recipients into visiting phishing web sites and divulging personal data. Others attempt to deliver malware that will infect your system and give the attacker control of your computer, or even turn it into a bot that can be used to send spam or attack other networks.

A countermeasure is an action designed to offset another action, and defense countermeasures are generally categorized as either “active” or “passive.” The countermeasures we use against email attackers are generally of the passive type, and include hardening our perimeters, servers and endpoint systems to keep attackers out. User education is an important part of every email security strategy, but it’s not enough by itself. Companies that try to save money by putting all the responsibility on the shoulders of the users and relying on the spam filters built into mail clients may find that the plan backfires and ends up costing them more than investing in a good technological system.

I think it’s time to start taking email – and email security – seriously again.

 

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!