Blog / What’s the Deal with Email Security?
After 20 years email has got to be secure by now, right?
Not so very long ago, email was a fresh, new tool that the kids in college were raving about that nobody outside academia cared about. Back in the 80s and early 90s many organizations didn’t use email at all. Obviously a lot has happened since then, and now email is such an everyday thing it’s easy to just assume it’s secure. It certainly can be, but the when it comes to cybersecurity, the ubiquity, popularity, and age of the product or service means very little. If the people in charge of setting things up don’t know what they’re doing, you could be in for a world of hurt.
Way back when, before the internet grew into the enormous Internet, it was a small network of schools and universities called ARPANET. Before that, it was an even smaller entity called WARNET, which was a military communications network designed to maintain communications even if up to 90% of it was destroyed (ie: withstand a nuclear attack). It was into this militarily secured and restricted access environment that WARNET was born.
Email was built using what would come to be known as the Simple Mail Transfer Protocol, or SMTP for short, and it’s an accurate name as the SMTP was designed to be just an electronic mirror-image of the real-world physical mail system. SMTP was designed to get a message from point A to point B without knowing anything about where point B is ahead of time. It’s very good at doing this.
So, what exactly does all this have to do with security? Well, SMTP was designed in a highly-secured environment whose only users were trusted military engineers, so there was no reason for mail server authentication or verification. The takeaway? All the available security options for mail servers today, like SPF records, DKIM, DMARC, Spam filtering and more, are entirely optional. There’s no physical requirement for any of them, only regulatory. On its own, SMTP has no mechanisms to prevent any attacks like spoofing and the like, so while it may be understandable why someone might assume their email server is safe, doing so is dangerous.
The thing to remember is that a lack of email security can be exploited in multiple ways. Depending on your setup you could be the victim of a direct assault on any technical deficiencies, or even impersonated by an attack to mount an attack on someone else.
To be fair, email services have improved and become more secure over the years IF you take the appropriate extra setup steps required to do so, but only having proper processes and procedures that take this into account can truly help protect your organization from being compromised and scammed.
Today’s Shakespearean inspiration comes from Henry IV, Part 1: “Lord, Lord, how this world is given to lying!”
If you’d like an email security audit or help developing an email security plan, contact TRINUS and we’ll put in touch with one of our cybersecurity experts.
Be kind, courtesy your friendly neighbourhood cyber-man.