Email in security hot seat with rise of Cloud, BYOD

Executives note a tremendous lack of awareness [among employees] as to what constitutes a risk

For most enterprises it is not enough to make sure their own email platform is secure. If their suppliers are not equally secure, they can be as vulnerable to criminal hackers and data leaks from human error as the weakest link in their supply chain.

The combination of a chain of usually small - to medium-size suppliers, the expansion of Cloud-based email services and the Bring Your Own Device (BYOD) trend among workers has created what Richard Parris, writing forç BCW, calls a "complex melting pot of security challenges surrounding the secure transfer of sensitive data via email."

By now, the advantages and risks of BYOD have been well documented. While it promotes convenience, collaboration and mobile productivity among employees, it is vulnerable to malicious applications, theft and simple carelessness - employees storing corporate data in public Cloud services that are not secure, so they can access it anytime.

Companies are increasingly aware of those risks. In May, IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor's cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple's personal assistant, Siri, due to fears that confidential information might be forwarded to Apple.

[See also: BYOD Security Concerns - Does IT Protest Too Much?]

Jeanette Horan, IBM's chief information officer, told MIT's Technology Review that there was, "a tremendous lack of awareness [among employees] as to what constitutes a risk," including forwarding internal corporate emails to webmail inboxes, exposing sensitive company information to possible security breaches.

Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.

But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management -- a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, "who is sending which email and information to whom, when and protecting it in transit and at rest."

Even that will not ensure protection of the email, he said. "It must also be run on a secure platform that delivers tightly controlled policy to enforce data labeling, digital message signing, encryption and checking of the actual content."

Jeff Wilson, principal analyst for security at Infonetics, agrees that an email management platform would help, since "most people are getting email on [multiple] mobile devices that could be lost, stolen, or compromised."

But he noted a more basic problem for many companies: "They don't even have an accurate inventory of devices connecting to their network or a framework for building a security policy and buying appropriate security solutions."

Those who want to remain in the marketplace may not have a choice about confronting and correcting such vulnerabilities, however. Parris wrote that enterprises that supply high-security customers will have to comply with information security standards set by the Transglobal Secure Collaboration Program (TSCP) for the governments of the UK, the U.S. and NATO.

Those standards are backed by enterprises including Lockheed Martin, Thales, Raytheon, Cassidian and General Dynamics for the Signed and Encrypted Email Over The Internet (SEEOTI) initiative.

Since email is the primary method of information sharing, enterprises must keep it secure, "to protect intellectual property and to compete in the global business environment," Parris said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.Boeing AustraliaCarboniteDropboxetworkGeneral DynamicsIBM AustraliaIBM AustraliaLockheed MartinMITNATORaytheon AustraliaTechnologyThales Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts