We all use email almost every day for work. Day after day, week after week, our inboxes are flooded with notifications, password resets, correspondence, invoices, marketing stuff, and countless other types of information. Have you ever thought about what a cybercriminal could accomplish if they had access to your email inbox?
I want you to do a quick experiment for me. Log into your email, and just do a search for the last four digits of your Social Security number. Dig into the results and see if you can spot your own Social Security number in an email or document.
We did a very unofficial poll, and found that about three out of five people had their own Social Security number in plain text in the body of an email or within an attachment stored in their email. Search for the word “password” and see what comes up.
You get the idea.
The average worker’s email inbox can potentially contain very sensitive personal information that, when in the wrong hands, can be devastating. If your business has to gather some of that information, things like credit card numbers, bank account info, or other sensitive information, you likely have very strict and specific rules for collecting and storing it. However, those who communicate with your employees might not know about, understand, or care about the rules and compliance standards you have to meet.
In other words, those that you work with can potentially email you sensitive information without realizing that they are making you accountable for their own risk.
The problem is that if your business suffers a data breach where an employee’s email is compromised, you are putting your customers at risk, and you can’t turn around and say, “Well, you shouldn’t have emailed us your bank account information, that’s on you.”
Even worse is when the business doesn’t have clear secure channels for their customers to provide sensitive information, and they just take everything over the phone or over email. Either way, we’re looking at a huge potential disaster that’s being propped up by (hopefully) a strong password and maybe some multi-factor authentication.
An email inbox is basically the crown jewel of personal information for a cybercriminal. If someone has access to your email inbox, it means they can reset any password they want that’s associated with your account. They can often bypass some two-factor authentication systems, especially those that just use email for authentication. They gain access to all of your contacts, correspondence, and a huge wealth of information about you.
We’re going to come right out and say it; the average person’s digital hygiene is atrocious. From weak passwords, to using the same password across multiple accounts, to just adding a number at the end of the default password you were assigned; the average person sets themselves up for failure.
Weak passwords are extremely easy for a cybercriminal to crack, and using the same password across multiple accounts puts the security of one account in the hands of some other service. If you use the same password for your email as you do your Amazon account, and Amazon suffers from a data breach, then your email is essentially fair game.
Believe me, we thank you for being vigilant. It’s a huge help, and we hope that your efforts prevent you from having to deal with a cybersecurity attack.
But I have some bad news.
Strong passwords and MFA aren’t enough. It’s a lot, and it will definitely slow the bad guys down, but there have already been proven cases where cybercriminals have slipped around two-factor/multi-factor authentication.
There are the “obvious” ways—by tricking a user into sharing their MFA code using over-the-phone verification, or just taking advantage of MFA fatigue by sending lots of MFA requests until the user slips up. Even scarier is a tactic called Session Hijacking.
Session Hijacking is where a cybercriminal is able to access a user’s internet activity through some other type of attack. Usually by infecting a user’s PC with some very sneaky malware or tricking them into falling for a phishing attack, the cybercriminal is able to trick any service into thinking that they are the user, and still logged into their email and other accounts. This means the multi-factor authentication is never triggered and the cybercriminal gets access to everything.
We’re all a little guilty of this. I even rely on my email’s search feature to pull up older conversations and correspondence. Most businesses use some sort of CRM or line-of-business application where customer information is securely stored, but sometimes, a quick search in your email is a little more convenient.
This means users need to be aware of sensitive information when they receive it, ensure that it is handled appropriately, and then delete it from their inbox. That means filing it in the proper way, securely, and not transmitting it or storing it in insecure ways, such as email. Obviously, you’ll need to review your company policies and your industry's data retention regulations, and if you do business in different states or countries, you’ll need to be familiar with anything else that you might fall under. Still, your inbox isn’t a secure storage medium, and your company likely has an official way of processing and storing sensitive information. If not, it’s time you implement one.
Your clients and vendors and other people that you communicate with aren’t always going to treat sensitive information in the right way, and that means you need to step up your game to make sure you aren’t on the hook for those you communicate with if something goes wrong.
Sensitive information consists of anything that can identify a person, such as names, addresses, contact information, photo IDs, Social Security numbers, and any sort of financial, criminal, or medical information. It also includes passwords and any sort of authentication methods, and anything that could be used to identify or track an individual.
Don’t let a cybersecurity threat ruin your profitability. We help businesses throughout central Texas make sense of their IT. Believe us, even though technology is getting more and more complicated, your business can gain a lot of value from it when it’s working properly and your staff has the tools they need to operate your business effectively and securely.
Want to discuss how we can help? Give us a call today at (512) 343-8891 to set up a free consultation.
About the author
Capstone Works, Inc. has been serving the Cedar Park area since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Comments
Learn more about what Capstone Works can do for your business.
715 Discovery Blvd
Suite 511
Cedar Park, Texas 78613