What is email security?
Email security is the process of ensuring the availability, integrity and authenticity of email communications by protecting against the risk of email threats.
Email enables billions of connected people and organizations to communicate with one another to send messages. Email is at the foundation of how the internet is used, and it has long been a target for attacks.
Since the earliest days of email, it has been abused and misused in different ways with no shortage of email threats. Abuse of email includes the following:
- phishing attempts
- spam phishing
- malware delivery
- business email compromise (BEC)
- denial of service (DoS) attacks
Email security aims to help prevent attacks and abuse of email communication systems. Within the domain of email security, there are various email security protocols that technology standards organizations have proposed and recommended for implementation to help limit email risks. Protocols can be implemented by email clients and email servers, such as Microsoft Exchange and Microsoft 365, to help ensure the secure transit of email. Looking beyond just protocols, secure email gateways can help organizations and individuals to protect email from various threats.
The topic of email security also includes privacy concerns, as unauthorized parties could potentially read email that contains sensitive information.
How secure is email?
By default, email is not secure for a variety of different reasons.
The original implementation of email protocols, including Simple Mail Transfer Protocol, Internet Message Access Protocol and Post Office Protocol 3, did not mandate the use of secure transport mechanisms, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). As such, connections to and from an email server were not done over an encrypted tunnel, which means that an intercepted message could have potentially been read by anyone.
Adding further complications, email messages are often stored on email servers in an unencrypted format. System administrators with access to an unencrypted email server could potentially gain access to read any email. A user email account can only be as secure as the server on which the email is stored.
The user side of email is another area that demonstrates its inherent insecurity. Access to user email accounts is commonly secured only by a username and password, which is often insufficient to deal with modern email threats. With the volume of data breaches continuing to grow year after year, an increasing number of email credentials have been leaked to public sites. Attackers can sometimes simply find user credentials for email services from public data breaches. Brute-force and password-guessing attacks are also a risk of the username/password approach to email access.
Email insecurity also comes from a lack of guaranteed authenticity. It is possible and common for attackers to spoof an email address and make it appear as though a fake email has come from a legitimate address. The lack of email authenticity is a common tactic used in phishing attempts, as well as spam phishing attacks that cast a wider net to attract unsuspecting victims to click.
Why is email security important?
Email is used for business communications and is often a foundational element of an organization's IT operations and ability to communicate both inside and outside of the company.
A risk to email, such as a lack of access due to a DoS attack, can potentially restrict the ability of a business to conduct business. Spam, which is another key email threat, can have negative impacts on a business, including filling up inboxes with useless information and potentially leading to phishing attacks.
Email can also often include sensitive data that is intended only for the recipient of an email message. Without email security, the sensitive information could be leaked to an unauthorized entity.
Authenticity of corporate email also highlights the importance of email security. If an unauthorized individual is able to send email that seemingly comes from a corporate email account, it could lead to fraud as part of a BEC attack.
What are the benefits of email security for businesses?
As most organizations continue to rely on email for business operations, email security technologies and best practices provide several critical benefits for business of all sizes, including the following:
- Availability. At the most basic level, email security can help to ensure the continued availability of email services so a business can continue to communicate with its employees and customers.
- Authenticity. Having email authenticity measures in place can help to build trust for an organization and its users that email coming from its domain is authentic.
- Fraud prevention. The ability to identify potential email security risks, such as spoofing, can potentially help an organization to reduce the opportunity for fraud.
- Malware prevention. An appropriate set of security capabilities in place on an email platform can limit risks of malware transmitted by email.
- Phishing protection. Phishing attacks can trick employees of a business to click on links or download things that could be harmful and lead to information disclosure and credential theft.
Email security best practices
While email is not secure by default, there are proactive best practices that individuals and organizations can take to significantly improve email security, including the following:
- Enforce encrypted connections. All connections to and from an email platform should occur over an SSL/TLS connection that encrypts the data as it transits the public internet.
- Encrypt email. While perhaps not an ideal option for every user at every organization, encrypting email messages provides an additional layer of privacy that can help to protect against unauthorized information disclosure.
- Create strong passwords. For users, it is important that any passwords are complex and not easy to guess. It's often recommended that users have passwords with a combination of letter, numbers and symbols.
- Implement 2FA or MFA. While strong passwords are helpful, they often aren't enough. Implementing two-factor authentication (2FA) or multifactor authentication (MFA) provides an additional layer of access control that can help to improve email security.
- Train on anti-phishing. Phishing is a common email threat. It's important to train users to avoid risky behaviors and spot phishing attacks that get through to their inbox.
- Use domain authentication. The use of domain authentication protocols and techniques, including domain-based message authentication, reporting and conformance, can help to reduce the risk of domain spoofing.
Email security tools
Best practices alone are not typically enough to help guarantee email security and reduce the risk from threats. Email security tools and services can help organizations with managing and improving security posture. Examples of these tools include the following:
- Integrated online email service provider platforms. Microsoft Exchange Online is part of the Microsoft 365 Business Standard suite and provides an integrated set of email security capabilities for users. Similarly, Google Workspace offers an enterprise supported version of Gmail that integrates email security as part of the online service. Both Microsoft and Google services provide integrated antimalware and antispam capabilities, as well options for encrypted data transit.
- Email security gateways. For organizations that have on-premises email systems and cloud-hosted email, an email security gateway can provide an inspection point for malware, spam and phishing attempts. Email security gateways are available from multiple vendors, including Barracuda, Cisco, Forcepoint, Fortinet, Mimecast, Proofpoint and Sophos.