Subscribe

Who is taking liberties with your e-mails?

Smaller businesses should review their business practices and at least pay for a reputable e-mail provider, says business security architect at CS Interactive Training, Louw Labuschagne.


Johannesburg, 22 Jun 2018
Louw Labuschagne.
Louw Labuschagne.

Our news media is filled with headlines of large organisations whose systems were compromised, resulting in sensitive data being leaked. The Hollywood version of these events depict criminals in darkrooms, speaking foreign languages and using super smart techniques to break into unsuspecting companies core business systems, says business security architect at CS Interactive Training, Louw Labuschagne.

The reality on the ground is somewhat different. I don't dispute the fact that there are really, really smart hackers breaking into super secure systems, but the most devastating data leaks were caused by insiders leaking critical data (wikileaks) or technical staff not implementing basic security standards (Master deeds data published on a web server with public directory browsing allowed). The most talked about leak last year was actually not core systems data being shared, but a family run business's e-mails. The impact of its e-mails being published resulted in its business, a well-known shebeen in an upmarket suburb in Johannesburg, closing down.

Recently another big insurance company had their e-mail system and information compromised. Fingers are now being pointed at information technology specialists and especially the cyber security teams, on why sensitive client information is not secured and protected. In my experience I have found that large financial institutions are serious about information security and do spend millions every year on building ever more comprehensive security controls into their core business systems but at the same time business units and staff are trying harder to bypass these controls to make it easier for them to deliver better and faster customer service.

My take on the problem is that unless we change our business culture and ensure that business management (and not IT) takes accountability for information, we will not stop the leaks. This is true for large and small organisations.

In large enterprises executives spend millions on core business systems with proper authentication, auditing, information classification and encryption, but in a more connected world where we expect quicker turnarounds and flexibility we see that staff members are using e-mail as part of the "informal" business process.

It might be quicker to just send a list of your top clients' contact details per e-mail to your sales teams to get them started on the new product marketing campaign rather than capturing everything into the CRM systems (since the new team members are not loaded in the systems and you are too busy to do it now, or anytime soon) or it might be that client that phones you about his FICA documentation that was rejected by your automated Web site, so you offer to load it for him, he must just send the confidential docs per e-mail as attachments.

Even senior managers implement "approval" systems using e-mails to approve procurement of equipment or approving a budget or even leave, even though the company does have ERP solutions for those scenarios, but you are too busy to get it configured and everybody trained.

Based on this evidence you would expect that companies treat the e-mail system as one of the most important business systems, since the information shared and stored as attachments can be very sensitive and cause tremendous harm (as we have seen above), but no, that is not the case!

In large organisations the e-mail systems are grouped under infrastructure services and the systems are managed as a critical system from an infrastructure perspective, however there is very little controls from an information perspective. I am sure no executive really knows which techie in his company has full admin rights on the e-mail system, allowing access to all mailboxes and e-mails. Managers give access to their e-mail inboxes to staff members or personal assistants to ensure that the "informal" approval process can continue while they are out of town or on leave. Support personnel share e-mail addresses and passwords to ensure that anyone can access the "support" e-mail address.

It is even worse in smaller organisations where there are fewer business systems and more informal processes built around e-mail systems. You will find "approval" systems where the manager will approve payments by e-mail and even customers can ask for changes to their personal or banking details by just sending an e-mail.

To make matters worse, the whole company sometimes share an e-mail address e.g. companyname@cellphonecompany.co.za. In this case the password must be shared by all company employees, so it has to be simple enough to remember and never changed. In this case the company has no control over their e-mails and sensitive information is stored on foreign servers all over the world. More evolved companies have Web sites and ask the company managing their Web site to create e-mail addresses on the Web server using SMTP services. This is a hacker's dream, simple to replicate and easy to either analyse and read the company's e-mails or for launching spam campaigns on other companies (mostly your customers and suppliers). These businesses have no idea who is actually accessing the company's e-mail or what it is going to be used for, since the e-mail system is actually hosted on locations across the globe.

My advice for smaller businesses is to review their business practices and at least pay for a reputable e-mail provider, I would suggest a MS Office365 for business subscription or Google Apps for business subscription, these providers are running secured environments and also provide several tools that you can use to optimally manage your e-mails.

If you are a manager at a large organisation, involve your business analyst or enterprise architecture team to assist you in reviewing current e-mail practices and how you can solve your business problems without saving sensitive customer or business data in the e-mail system.

Ensure all staff is aware of basic best practices with regards to e-mail communication and if you get a strange e-mail or joke from someone you don't know, just remember: DON'T CLICK ON THE LINK!

My final piece of advice, go and change your e-mail account password now, and don't use the same password that you use for Facebook or Twitter or other social media venues. Check out the following Web sites to see if your previous passwords are available online (stolen without your knowledge)

https://hacked-e-mails.com/

https://haveibeenpwned.com/

Louw Labuschagne is a Business Security Architect @ CS IT. The company provides specialist cyber security training and services through its Cyber Security Institute division. It also offers pre-packed CS Cybershield solutions for smaller organisations (between five and 500 people) where we combine business security health checks, vulnerability scans and awareness training to empower business users to take ownership of security of their information.

https://cybersecurityinstitute.co.za

http://www.csinteractivetraining.com/cs-interactive-training-18.html

Share

Editorial contacts

Louw Labuschagne
CS Interactive Training
louw@csinteractivetraining.com