We have failed to stop phishing, even after 2 decades. Can we finally agree that emails need digital signatures?
Email serves as one of the primary mechanisms of communication within the Western world – yet, decades after it first appeared on the scene, email still remains a source of security headaches. There has likely not been a single hour during the last decade, for example, during which criminals did not carry out successful phishing-based attacks by exploiting the inherent lack of security within standard and ubiquitous email technology.
In fact, despite so many years of sincere attempts at curtailing phishing, and in spite of the release of numerous technology products and human-training systems aimed at doing the same, and despite the availability of offerings to implement email-security standards such as DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting & Conformance (DMARC), phishing remains, to this day, one of the most effective ways of cyber-penetrating organizations. Phishing attacks are both so common and so commonly successful that many experts believe that a majority of American businesses have suffered some sort of successful phishing attack within the past year. Remember, while defenders need to secure all people and all systems within an organization, and need every target of a phishing attack to remain safe, a criminal needs only one person to fall prey in order have a phishing attack pay off.
Ironically, some efforts to improve the security of email have also simultaneously increased various human-related risks by causing people to “lower their guards;” people who work in organizations that deploy sophisticated technology to filter inbound email messages in order to remove phishing messages and other spam, for example, are understandably more likely to fall for a scam that somehow makes it through the filter than would be identical people who, as a result of encountering bogus emails on a regular basis, have developed a healthy skepticism about the veracity of any particular email message.
While universal adoption of the aforementioned DKIM, SPF, and DMARC would dramatically reduce the general population’s exposure to phishing attacks, such ubiquity is highly unlikely to be achieved at any time in the near future. Furthermore, the aforementioned protocols do not protect emails from being read in transit by unauthorized parties, nor do they even attempt to guarantee the identity of a particular person as being the true sender of a particular message. And such issues are just the tip of the iceberg when it comes to email security.
Simply put, email remains insecure, and, frankly, unreliable. And – as evidenced by how many cyber breaches still find their origins in phishing emails – reactive approaches have clearly not done enough to fix the problem.
For businesses and other entities that have not yet done so, therefore, it might be time to finally consider utilizing digital signatures on all email messages sent within their respective organizations – which, when used along with end to end encryption, might both raise the email security bar dramatically, and do so without creating potentially dangerous over-trust.
In organizations that utilize digital signatures, for example, unsigned messages can be blocked or flagged as potentially dangerous when they appear to have been sent by people who the email system knows have the ability to sign messages; administrators and/or intended recipients can also be overtly warned accordingly. When it comes to intracompany communications, Instead of trying to reactively remove problematic emails, an organization can allow only those known to be safe to be delivered, or flag accordingly all emails not known to be safe. Far fewer organizations would likely suffer from “CEO Fraud” losses – such as after a criminal’s email that appears to have been sent by an organization’s CEO appears in the corresponding CFO’s mailbox instructing the latter to pay a third party for some services already rendered. And, with phishing being a primary mechanism or spreading ransomware infections, digital signatures could also potentially prevent a lot of aggravation and financial losses.
Of course, many organizations already leverage the power of digital signatures. But, most, clearly, still do not.
I personally have used digitally-signed email at many points during my career, and I hope that we will all see greater adoption of the relevant technologies in the near term; smaller operations can, today, enjoy the security benefits of relatively simple, low-cost options for deploying digital signatures and end-to-end encryption. Just as we are presently witnessing the world wide web transitioning from unencrypted HTTP to much more secure HTTPS – it would be nice to see similar types of developments in the world of email communication as well.
This post is sponsored by IronCAP. Please click the link to learn more about IronCAP’s patent protected methods of keeping data safe against not only against today’s cyberattacks, but also against future attacks from quantum computers.