Is it Time to Give Up on Email? Especially for Internal Use?
The cyber security threats derived from email are significant and encompass simple cons to sophisticated cyber attacks.
Over the last 40+ years, our email journey has seen many improvements, but the primary function has stayed the same. That is, you send some information to an email address like a blind transmission. You can never be 100% sure somebody has read it. There are at least three uncertainties:
- You can receive emails from people you don’t know
- You cannot always validate the sender’s identity
- You cannot be sure that the information was not changed on the way
I have noticed many organisations use emails as the enterprise filing system. That is, humans have become highly connected to email. Even those who are wise to the threats are sometimes fooled or conned. For example, many people are still being conned or falling for scams and redirecting payments to others. The challenge is that humans open the email and are easily fooled by cyber criminals.
Only some people keep up with the current technology. For example, some organisations still host their own mail exchange servers! Most of us now use a cloud provider like Microsoft or Google that do a reasonable job of filtering out unwanted emails, and some still use special email filtering tools. But still, harmful content gets through.
Big organisations like Microsoft have had severe cyber attacks and breaches in the last few months. Although this has potentially made their platform less trustworthy, it is still useful – however, I have become more wary.
75 – 80% of all successful cyber attacks start with an email, such as a phishing attack (various sources – Deloitte’s/ACSC). The role of email beyond the initial attack vector is also a consideration, such as manipulating staff or external client relationships.
One of the critical technical challenges is that one platform (interface) is used for internal and external communications. Focusing on isolating internal and external as separate systems could mitigate much of the risk. External email communications these days should be treated as corrupted! If emails are corrupted, and the human has to decide to open or not open, with the advent of new AI-based cyber attacks, this will naturally become a more significant threat.
One click on one of those special external emails, and it’s all over potentially! The spam and sheer number of emails that hit our inboxes is sometimes daunting, making it hard to clear the email box quickly and increasing the chance of opening the wrong thing. The problem is a human one, so we may need to create a simple alternative.
What if we use email for external communications only and Secure Instant Messaging (SIM) for all internal communications?
SIM systems include LamChat (the Australian system we built) and Signal, for example. Email was created for simple data transfer, and its scope has been stretched since then. SIM, like LamChat, is far more secure and modern. Before any SIM communications can begin, a trusted connection between parties needs to be established. After that, sophisticated encryption methodologies are engaged to secure the communication with other parties. It’s also a separate system, so human nature can work to our advantage as they will require a different focus when using the SIM system vs. email (being used for external communications only). The modern SIM systems are more capable and more sophisticated than email and offer the following core features:
- Participant consistency
- Destination validation
- Forward secrecy
- Backward secrecy (aka future secrecy)
- Causality preservation
- Message unlinkability
- Message non-repudiation
- Participation non-repudiation
- Anonymity preservation
Email does none of these things in its standard form.
If your organisation suffers a cyber breach, how will your people communicate? Will they use the same email and maybe Teams system that was compromised (many do, by the way)? This is highly risky, as hackers typically gain control of email accounts and therefore, teams messages, files and so on. In many cases, the attackers read/watch what happens in the organisation while dealing with the cyber attack. Some organisations use a secure messaging system separate from everything else as part of their cyber security incident response. What does your cyber attack response plan call for?
Why not use a secure messaging system for all internal communication and potentially with trusted third parties (such as suppliers)? Consider this scenario: a company CEO asks the CFO to make a payment via SIM, and the CFO has been instructed never to create a payment if requested by email – any external email with instructions will be disregarded. In another scenario, all employees open emails expecting them to be corrupted by a phishing attack or some scam (even if they are from an internal account). How would human behaviour change?
The advent of a modern SIM system allows an organisation to work differently. Guess what? The transition will cost nothing! You just need to train the humans to work a bit differently! But, doing so will radically change the cyber threat landscape for your organisation.
Who else is doing this, you might ask? The answer is most Governments, Military and security-sensitive organisations worldwide.