“To secure or not to secure” is the question!
Individuals and organizations are constantly exposed to the risk of losing information, simply from using
email systems for strategic communications. It is the easiest, most efficient and accepted
communication method today, but it’s vulnerable to attacks. One can send a message to virtually
anywhere in the world in less time than it takes to dial a phone number. Unfortunately a message can
also sometimes land up in the wrong hands. Irrespective of its shortcomings and associated security
risks, email has become the defacto standard for global information exchange for both business and
private use.
With email’s high utilization and known as well as unknown threats, why isn’t this a top priority issue for
CTOs and why hasn’t everyone implemented email security, to transact securely? Digital certificates or
Electronic Identities (eIDs) that enable email security, have been around for over a decade, the
technology is full-proof, many standard messaging systems support them, yet the uptake has been very
slow. Gartner predicts that email encryption will take 1–4 years to mainstream adoption, which is a long
time in IT and many things could happen till then. Some arguments as to why companies are holding
back include, too expensive, cumbersome, complex to use and support, but speculation is that simply
we have not yet seen sufficient large scale attacks and loses to warrant focusing on this technology and
many times other priorities for budget allocation traditionally come first.
Publicly available Information highlights potential email vulnerabilities which should raise some serious
concerns. It makes one wonder when the first major attack will take place and what the results of it will
be. Or has such an attack already happened and we don’t know about it? Looking at the potential gains
for perpetrators, from information theft and tampering, it would be naïve to ignore the fact that they
are already hard at work. The most obvious sign is Spam. Spam filters improve daily and detect most
spam but unfortunately also detect some valid messages and block them without warning. Hopefully
the sender, after a few days realizes that a message did not make it and resends it. This really defeats
the object of email and could slow down communication and sometimes jeopardize business. With
spam filters maturing, attackers are finding innovative ways to bypass them. Like counterfeiting,
fraudulent emails are looking more legitimate and with embedded links and interesting subjects, they
attract attention and unsuspecting recipients fall prey to traps and viruses are quickly spread from their
PCs to the corporate networks and beyond. Viruses however in many cases are far less of a threat than
spyware which silently captures keystrokes and passwords to cause far wider and expensive damage.
Malicious attackers are no longer only interested in getting small commissions from items they sell, but
more in getting valid email addresses that they can either sell for huge amounts of money or use them
to impersonate others to infiltrate systems. Of course they need to keep spam alive, which is their main
vehicle. The recipients typically see a message that looks like it has a “valid” email address and
automatically trust it. Some recipients will respond with a warning, which will bring the issue to your
attention, but unfortunately some will instantly blacklisted you, causing productivity losses and long
delays to clear your name. Worst of all YOU HAD NOTHING TO DO WITH IT!!
WISeKey USA Inc. Page 1
Spam started as a simple marketing tool but has progressed to become a very dangerous threat with
potential for serious damage that should never be underestimated. Where is this heading? The signs are
not good and following the trends, indications are that we will see some major attacks in the future.
When, where and who will be affected is difficult to predict, but be assured its inevitable. What does
one do for protection? It is actually quite simple, but requires some work and some money. With
implementation of electronic identities one can secure the content and also digitally sign a message to
protect it against tampering and provide a way of verifying the message origin.
There is some correlation between the real and electronic worlds when it comes to crime and fraud. In
the real world crime will typically be localized and normally signs of an attack can be detected. In the
Electronic world however, in most cases when information is stolen there is no indication this has
happened. It can go on unnoticed for years and could be triggered from anywhere in the world 24 x 7.
The question is how important is your information and if it does leak out what are the repercussions? If
you don’t anticipate major losses, you could procrastinate till some major attack is publicized and then
take action, or take a proactive approach and avoid headaches or potential liabilities. If you feel you are
secure and your information and Intellectual property is sufficiently protected in locked servers and
rooms, then you are either not using electronic communication to its maximum potential, to gain
benefits associated with it, such as saving paper, speeding up processes, extending your reach,
contributing to Green initiatives, saving money, time and more, or simply you’ve ignored the fact that
it’s probably the biggest asset. In conclusion, associated benefits of eIDs, such as digital signatures,
strong authentication and the ability to prove “you are who you say you are” in the impersonal world of
the Internet, far outweigh the costs.
It has to be better to secure than face the consequences. Makes you think, right?
Basil Mavropoulos - IT Security Director – WISeKey USA Inc. (www.wisekey.com)
WISeKey USA Inc. Page 2