Security Experts:

Email Is Forever - and It's Not Private

Why You Need to Think Twice on What you Put in Emails

"Dance like no one is watching; email like it may one day be read aloud in a deposition." - @Olivianuzzi, December 13, 2014

This “post-Sony attack” tweet from Olivia Nuzzi of The Daily Beast should have been framed and hung as motivational artwork on every office wall. Instead, a year and a half and numerous publicized email hacks later, it stands to remind us that people will continue to get caught with their pants down because they refuse to accept two simple certainties: Email is forever; and forever is a long time to keep anything truly secure. 

With more recent hacks on entities like the Democratic National Convention (DNC) and the State Department what’s particularly frustrating—beyond the hacks themselves, which are almost foregone conclusions in today’s connected world—is that people continue to send inappropriate emails. Why does it seem no one is learning from these blunders?

Permanent Record

There’s a reason top secret meetings take place in person. Email is a (relatively) public and permanent means of communication. Unlike in the old days of business letters and official government “cables,” email can — and does — take on a life of its own. Some things are better left unsaid — or, in this case, un-emailed. Translation: Anyone can read them; and anyone who feels like it can also forward them ad infinitum. And those with the time, know how, and gumption to wreak havoc will do so. Why make it easier for them?

Sure, one could argue that the recent opprobrious hacks strengthen the case for encryption as a means to protect against the increasing skill levels of criminal gangs — and, I suppose, from ourselves. The most reputation-damning DNC emails were ones that should likely never have been written, let alone sent, in the first place. So, in a way, that had less to do with encryption and more to do with poor judgment. Plus, for the foreseeable future, it’s unlikely that anyone will be able to count on email messages being encrypted. 

It’s time to look for alternative solutions. No doubt, it’d be great if we could always pick up the phone or meet in person to avoid sending sensitive (or potentially incriminating) communications via email. But because that can’t happen all the time — and email is so convenient — how about looking for a way to find the bad guys before they run off with and air your dirty laundry to the general public?

Common Sense Is Not So Common

The federal government has been criticized for its lack of adequate cybersecurity protections and being slow to update its operating systems with the latest software. But it’s up against a number of significant challenges: cyber specialist workforce shortage; sophisticated nation state attacks; network complexity and obsolescence; increased need for encryption; legislative uncertainties. Oh, and the naiveté of its own employees.

Conventional email security solutions may defend against spam, viruses, and malware, but they don’t defend against ignorance or egregious stupidity. The DNC’s IT security team failed to protect sensitive information, but the people who sent the inappropriate emails were also at fault.

While phishing and other social engineering attacks loom large in IT security professionals’ minds, perhaps the hardest thing to control in security is the human element. We live in a world where people want easy, convenient, fast. Everyone loves short cuts. And anyone can become busy, distracted, or just plain lazy. Unintentional loss of sensitive data through employees’ lack of email security awareness is embarrassing at best. At worst, it has the potential to compromise a nation’s security or endanger its electoral process. But it doesn’t have to be this way.

Because personnel aren’t always savvy about what they share, it’s prudent for organizations to invest in cybersecurity education and training, but also to become more aggressive at policing their networks. The DNC hackers had been on the network for how long before discovery? (Over a year, in case you’ve been on a desert island with no Wi-Fi.)

At some point, people have to take responsibility for security breaches. Attacks aren’t just about clicking on a “bad” link or opening a malicious attachment. They are about human behavior, at all levels, from email to poor adherence to security policies and procedures. If you send the wrong thing, you’re opening your front door for all the world to see and, inevitably, someone will be waiting to take more than a peek inside. Know the risks. Close the door. Get a dog — a guard dog with a keen sense of smell.

Incremental Deterrents

Dogs, any police officer will tell you, are the biggest deterrent for burglars. Why? Because no matter their size, they’re unpredictable. And they can fill any security gaps left by fences, locks, and alarms. If your intent is to steal something, you prefer a controlled, predictable environment, meaning one without dogs. 

Security systems, like the networks they protect, are built by accretion — one product stacked upon another — in the hopes that each will do its specific job well enough so that, when taken as a whole, the stack will provide complete security. But what if there were something that could give that security stack a bit more bite?

There is. The more visibility organizations have into what’s happening across their networks, the better chance they have of uncovering anomalous, not-quite-right behavior, responding to breaches faster, and, of course, tackling the security challenges surrounding the nature of email (forever and not private) and humans (toward the path of least resistance). In an IT environment, a security delivery platform (SDP) can be the watch dog whose bark and bite comes through providing pervasive visibility of network traffic, users, and applications that enables any security solution—firewall, IDS, IPS, etc.—to focus on what it does best. Or, in other words, the dog who can and will hunt.

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.