Protecting Your Email from the Elements
June 22, 2021 by Jeremy Ward
In March, I talked about the “walled garden” approach to security, and gardens come to mind again when I think about exposure to the elements. Email, especially, is at risk for exposure.
Email can be like a weed – it’s extremely persistent. Multiple copies of an email may exist on both the sender’s and recipient’s side (server versions, cached versions on mobile devices and laptops, backups, etc.). Sensitive data sent via email is quite hard to remove from all the systems it touches.
Email can be like a tomato plant – to pick the fruit, you can reach into the cage that’s protecting it. Email is not always encrypted and, even if it is, it’s usually only the “tunnel” that’s encrypted. The content is commonly not encrypted in a way that causes the recipient to take additional steps to read the message.
Email can be threatened by invaders – threat actors are like the rabbits who invade your garden, getting access to all the email in an account. One of the first things they do is to take copies of old emails so they can filter through at their conveniences for sensitive information. They also set up email forwarding to a separate account to capture all (or even specific) new email. And as one more example, they will set up rules to delete messages that give away their presence, such as emails generated to warn you about suspicious logins. Unless you use an email tracking tool, you generally do not know who, when, or where the email was opened.
So, how to protect your sensitive data and other information? Secure file transfer/encrypted email solutions, such as Kiteworks, have some distinct advantages.
- With proper configuration, authentication is strong for both the sender and the recipient.
- Recipients usually are required to click a link and authenticate before being connected to the content of the message or any files, making it more difficult for a bad actor to access. Additionally, automated tools used by bad actors to scrape compromised mailboxes would generally not find anything of value.
- The content of the encrypted message, usually viewed through a browser, can be set to expire after a specified duration, thus removing the persistence of the content (getting rid of the weeds!). Even if you don’t set a message to expire, often you can manually expire it later if you become aware of an issue or if you want to remove access from the recipient.
- Viewing content through a browser can provide additional information regarding who opened an email, when, and from where (IP address), assisting with ensuring appropriate access.
Take the time to use a file transfer method that provides stronger authentication, traceability, and reduced risk. These are the reminders we provide to our team:
- DO use a secure file transfer solution when sharing or for short-term storage of data.
- DO use a secure file transfer solution when transmitting sensitive organizational data, such as business plans, personnel information, etc.
- DON’T use email to send or receive sensitive data.
- DON’T use personal collaboration/storage tools to share or store sensitive data (ex: Dropbox).
- DON’T upload or share sensitive data to unsanctioned removable media, such as USB devices or portable hard drives.
- DON’T provide more access than needed to sensitive data stored in your secure file transfer solution.
- DON’T modify settings within your secure file transfer solution to store data for longer than necessary.
Security is an important part of everyone’s job. Are you tending your garden this summer?
Jeremy Ward
Information Security Officer
Tyler Technologies