August 23, 2017
Strengthening Trust in Email Communications
In 1774, two years before the Declaration of Independence, William Goddard, a patriotic newspaper publisher, found himself frustrated that his Pennsylvania Chronicle was not reliably delivered. The Crown post, the British controlled colonial mail service, often tampered with the newspaper. This disruption of mail delivery deprived Goddard’s colonial readership of important and timely revolutionary news. The Pennsylvania Chronicle closed business because it could not reliably send news to its readers. Less than a year later, these concerns about the trust and integrity of mail delivery were acted upon by the Continental Congress, creating the precursor to the U.S. Postal Service. With its public reputation damaged, the Crown post also soon followed the demise of the Pennsylvania Chronicle and went out of business in 1775.
This early mail delivery story is a good analogy for the lesson: if the messenger service can’t be trusted to deliver content without interruption or tampering, both the delivery service and the content providers may quickly find their businesses in trouble.
Fast forward to today. Email is now the de facto mail service worldwide, delivering content to and from all types of businesses including financial services. Email is so heavily relied upon that many companies consider email to be a “business-critical” service.
Unfortunately, email was designed without any security in mind, since it predates the internet as we now know it. Like the Pennsylvania Chronicle sending newspapers to its subscribers via the Crown post, emails themselves may potentially be viewed and tampered with prior to delivery. This is commonly known as a man-in-the-middle attack. Further, because email is sent unencrypted by default, the contents of the email may be read by unauthorized parties. Fortunately, there is a scalable, low-cost, standards-based technology available to solve this data integrity problem. Transport Layer Security (TLS) (previously known as Secure Sockets Layer (SSL)) is a solution that many business executives are familiar with already and is the same technology used to secure websites and web browsers.
TLS protects data integrity and confidentiality by seamlessly encrypting email traffic flows and authenticating email servers to one another. This encryption reduces the risk of man-in-the-middle attacks by reducing the amount of traffic that is passed in clear text. TLS reduces overall risk through mutual authentication and protects the information contained in the message from disclosure to unauthorized parties. TLS provides an additional layer of defense to help protect customers and businesses from otherwise avoidable harm from malicious actors.
In today’s fast moving technology environment many companies are choosing to deploy email encryption to:
- Keep emails confidential as they traverse the internet;
- Speed up and secure communications with customers, partners, vendors, etc.;
- Comply with industry regulation such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Payment Card Industry Data Security Standard (PCI DSS) for many financial institutions in the U.S.; and,
- Protect their reputation and relationships.
One thing for sure: you don’t want your company email ending up as a headline in the news.
In terms of implementation, many companies run their own email systems but trends suggest others are choosing to use third-party service providers to host and send email. TLS works well within either environment, requiring minimal setup, maintenance and little additional computational overhead. While some large operators, such as Google and Microsoft, offer TLS-enabled email services, not all email service providers offer (or activate) TLS support by default. In fTLD’s Security Requirements, whether .BANK or .INSURANCE domain registrants insource or outsource their email services, TLS must be opportunistically enabled when sending and receiving email.
Don’t forget the lesson William Goddard and his Pennsylvania Chronicle learned over 240 years ago. If our most relied upon method of communication (i.e., email) lacks integrity and confidentiality, then we must secure it so our customers will be informed of the latest news. Whether it is the Battle of Lexington and Concord, or last month’s account statement, customers and businesses need to know their communications are secure and trustworthy.
By Andrew Kennedy, Financial Services Roundtable/BITS Cybersecurity Advisor to fTLD