Your IT guy doesn’t trust your email. Or, more specifically, he doesn’t trust your email password. And it’s not just your IT guy.
Here’s why: when you use a password to log into an email account, that password is stored on a server somewhere (in most cases, the server belongs to Google or Microsoft). When you send a message from that account, the server decrypts it using the password and sends it on. When it receives an encrypted message, it decrypts it using the password and delivers it to your inbox.
The problem is that if someone gains access to that password, they gain access to everything in your account. And in today’s world of phishing scams and hacking attacks—where cybercriminals are constantly trying to steal passwords—it’s not uncommon for people to unwittingly give away access to their accounts. Other times, hackers can break into a cloud provider’s servers and steal users’ passwords directly. All told, there were 918 data breaches in 2015 alone that exposed over 169 million records. These types of breaches have been happening for years now—and will continue to happen—with no sign of letting up any time soon
There are a lot of reasons why your IT guy doesn’t trust your email. It’s not because he’s a conspiracy theorist, or because he thinks you’re an amateur. It’s because email is insecure, unreliable and unsafe by design.
It’s not that there aren’t real security risks involved with email; the majority of the threats which plague enterprises today use email as a vector to get through to their targets. In fact, by integrating its security platform with Cisco’s Email Security Appliances, Trend Micro was able to identify over 7 billion spam emails in January 2016 alone.
The problem is that you can’t stop at spam. With phishing attacks on the rise, and spear-phishing becoming more sophisticated than ever before, training users to spot suspicious messages often isn’t enough to protect them from the threat of malware, ransomware and other zero-day exploits.
Traditional SaaS email solutions can’t protect users from these types of threats, either. While they do offer some basic protection against the most common attacks, they do nothing to protect against hacks or breaches into their own systems – which become more likely each year as these providers become more popular targets for hackers looking for easy (and lucrative) ways to get
We’re all familiar with the scenario: a new employee joins the company, and you (the company) want their email address added to various group conversations and permissions. So you send an email to the IT department to get it done.
The response comes back: “Sorry, I need an email address that is not Yahoo or Gmail for security reasons.”
This isn’t an isolated incident, it happens every day at essentially every startup, because there are two types of professionals in the world: those who use Gmail and those who don’t.
Those who use Gmail believe that Google has created the most secure and reliable email client out there. Those who do not use Gmail usually work in tech companies that have some sort of internal mail server. They believe that if they have a choice between using someone else’s email server or hosting their own, they should always host their own.
There are varying degrees of each camp, but many people fall somewhere in between – even if it’s just a little bit towards one side.
So why does this happen? Why does your IT guy refuse to add your friend from college with a Yahoo account to the company mailing list?
The IT manager at your company is a decent, hardworking person. He’s also not very happy with you. Why? Because you’re one of those people who sends out emails that are “unauthorized and potentially harmful to the network”. Your email signature is infected with malware, and every time someone opens an email from you, the malware has a chance to infect their computer as well.
The IT guy has one of two options: he can install an antivirus program on everyone’s computer, which will slow down everyone’s work, or he can ask everyone to stop using your email signature until it gets cleaned up. He chooses the second option, which means all of your emails now get blocked by the firewall.
As a result, you get lots of frustrated phone calls from clients and colleagues, who don’t realize your email signature is infected with malware! Your boss finds out and gives you a stern talking-to. You spend days cleaning up the mess, only to have it happen again a few weeks later because some new piece of malware has managed to slip through your firewall.
You’re sick of this! You want to find a better way!
In the IT world, there are two kinds of companies: those that have been hacked, and those that don’t know they’ve been hacked.
The former are just like you and me; they get phished, they fall for social engineering attacks, and sometimes they go to a website where a drive-by download is waiting. The latter are usually much bigger organizations that just haven’t realized yet that their intellectual property has been stolen, or their employees’ names and social security numbers have been published on Pastebin.
If you work in a small to medium sized business, you’re probably part of the first group. You have anti-virus software on your computer and you keep your OS up to date. You always think twice before clicking on a link in an email. You use unique passwords for every account, and you change them often enough so that if one does get compromised, the damage is limited.
But do you encrypt your emails? If not – why not?
I work in tech, so I get a lot of questions. And while the more specific ones tend to come from non-tech workers – who often have good reason not to understand what I do – the questions that bug me most are usually from people who work for other IT companies.
I’m not sure if this is because I am sensitive to criticism, or because we take pride in what we do at Mimecast and don’t like being lumped together with our competitors. But the question that gets my goat most often these days is “What do you do?”
The question itself isn’t inherently bad, but it always seems to be related to “Why does Mimecast exist?” or “What problem does Mimecast solve?”
My response, which is a little bit cheeky but also accurate, is that we solve your problems. Or rather, we solve the problems created by your IT department and/or IT service provider.
Let me give you an example. A few months ago I was talking to someone who worked at a large bank here in Johannesburg (our head office is in London). He told me he gets a call every day from his wife asking him if
In 2011, Google’s security team identified a problem. A large number of Google users were losing access to their accounts. Google’s highly-skilled and trained IT support staff could not get these users back into their accounts in a timely manner.
Google is known for its culture of automation, so it was both mystifying and frustrating that this problem was not solved by the company’s brilliant people and technology. After much investigation, Google found that the reason for the support delays was simple: many employees were submitting “I forgot my password” requests to IT in a language other than English.
The IT staff had been trained to respond to password reset requests in English, not in Chinese or Spanish or any other language. This meant that when users submitted a request to reset their password in a different language, they ended up waiting days or weeks for an answer—if they got one at all. This problem created delays and left users vulnerable during those periods of waiting time.
Addressing the translation issue was not enough to solve the underlying problems with user access. Users still had difficulty accessing their accounts (especially if they did not speak English), and IT staff were still overwhelmed with support requests.
As with many companies, Google uses email as its