Use Case: How p≡p Security Fights Email Data Breaches

Data is big news. Whether it’s a tech company selling their users’ personal information, or a credit card company having a data breach that affects millions of people and potentially millions of dollars—data is on people’s minds these days.

If your company is still sending unencrypted emails, even to trusted organizations you do business with, you’re opening yourself up to a data breach. Email intrusions known as phishing scams are responsible for approximately 32% of data breaches. Add to that the fact that 90% of all malware infections start with an email intrusion, and you can start to see the importance of locking down this gateway into your corporate network with an end-to-end email encryption solution.

Because email is ubiquitous in the business world, often used to pass sensitive information from one business to another, or between individuals within the same organization, it’s crucial that your encryption solution is easy to use for all of your employees. The most technical of users has one idea of what makes software easy-to-use, while the least technical has a completely different idea. The key is finding a single solution that everybody can use, all the time. Why?  Because the only secure email is an encrypted email.

What Constitutes an Email Data Breach?

In short—any time a hacker uses email to gain entry into a corporate network for the purposes of stealing confidential company information or user data. Whatever type of data they’re after, the vast majority of these attacks begin with a combination of social engineering and some kind of email intrusion. These intrusions can take several forms, and the majority of them fall under the general heading of “phishing.”

Phishing

This is the term used for when a hacker (mass-)emails people within their target company. This email will appear to come from a trusted source, a partner organization, or even someone from within the company itself, often an executive to lend authenticity to the message.

Once the hacker spoofs a legitimate email address, they will then either request pertinent information about user accounts, invoices, etc. in order to effect entry to the broader network. Conversely, they might attach some sort of malware.

Phishing is effective mainly due to that ubiquity of business email we mentioned above. Most employees within a company of any size spend the majority of their day sitting at a computer and respond to every new message alert almost instantly. Since so many emails are opened and read everyday, it’s easy for a hacker to slip in a malicious message.

Spear-Phishing

A sub-category of phishing attacks, the difference here is in the target. Rather than blanketing the company with malicious emails, the attacker will do their research first and send customized messages to certain people within the target organization. This way, they can make specific requests that are tailored to the access each person has, or can more easily mask their true intent by social engineering their email to work on the individual in a particular way.

For example, say the hacker is after PII (personally identifiable information) about a company’s employees. They could target the head of HR and maybe an HR manager, since these people have the authority to access the data the hacker is after. When researched thoroughly, this can be a much more efficient way to obtain personal data, as the fraudster only has to send a handful of messages to have a high chance of hitting the right mark.

Whaling

Another specialty sub-category of phishing attacks, in this case, the hacker masquerades as an executive within the company they’re attacking. This type of attack takes more time and planning, as the fraudster needs to know the real person they’re impersonating won’t find out until well after the attack has concluded. Some incredibly aggressive hackers have been known to spoof the email of a company’s CEO in order to garner the most respect and trust for their messages and to limit pushback on the requests they’re making.

How End-To-End Email Encryption Can Stop Intrusions Before They Begin

Email data breaches rely on a hacker’s ability to force their way through your email system. Whether by social engineering or by the use of malicious software, they’re using email as the attack vector. If you can lock down this entry point, you can stop data breaches in their tracks. p≡p for Email does this using several industry-leading tactics, including key predeployment.

Predeployment of public keys within an organization

Once p≡p is installed and operational on your company email system, public keys can be predeployed to all internal accounts. At the installation stage, you can also pre-deploy public keys to trusted pre-established communication partners as well, further easing the transition. Then, when users install p≡p on their devices, a public key is automatically assigned to each device.

In situations where no user-to-user handshake is possible (i.e. in big enterprises, where a big number of employees work from remote locations), the communication’s verification can pushed (and so-called trust established) to all employees, bypassing the need for future trust establishing procedures. For example, new employee accounts can be automatically granted «Secure & Trusted» status at the time the account is created, reducing any further input from admins or the new users to the absolute minimum. It’s as easy as setting up any other business email account.

Ease of Use Is Crucial for Compliance

It’s simple: if you want every email to be encrypted, it needs to be seamless for the user. And that’s the secret to p≡p’s success. Once the software is installed on the user’s devices, every email they send to a trusted partner will be encrypted and every incoming email will be tagged with a traffic light indicator telling them the encryption status of that message.

The traffic light system is user-friendly and intuitive:

  • No color — Unsecure: the message is either not encrypted or the encryption is sub-standard
  • Yellow — Secure: the message is properly encrypted
  • Green — Secure & Trusted: the message is properly encrypted and from a verified party
  • Red — Mistrusted: the message is flagged as troublesome for a number of reasons

Using this system means your users need only glance next to each message in their inbox to know its status instantly. This effectively eliminates the possibility that they will fall for a spoofed email or inadvertently open an attachment that contains malware, thus immediately and radically reducing the chances of your company falling victim to a data breach.

Automated key management makes adoption seamless

The other primary way p≡p makes end-to-end email encryption seamless for your users is with automated key management. The full process of exchanging keys and encrypting or decrypting messages is automated by p≡p. By the same token, it eliminates the possibility for user error and reduces the attack vectors in periodically changing out old keys for new ones—meaning that even if an attacker came into possession of an encryption key it wouldn’t be valid for long; the system would have changed it out automatically after a short period. Even though p≡p makes encryption fully invisible to the user, it does never cut back on security.

Required keys are generated by the p≡p Engine when p≡p is installed and enabled. Additionally, since p≡p is peer-to-peer there is no central key server or certificate authority to be compromised. This curtails all attack vectors that exploit these targets by simply eliminating the target altogether.

Automated Email Encryption: The End of Email Data Breaches?

That may sound grandiose, and it may be. But as you can see, the vast majority of corporate data breaches start with a simple email. And as much as we support and highly recommend some solid user training, people are fallible. That means someone will unwittingly open that malware-containing email attachment, thinking it really is a spreadsheet from finance. Or they’ll see the CIO’s name on an email and assume that whatever it says is gospel and share whatever information the sender is asking for.

This is not to disparage your employees in any way. Like we said, people are fallible. All of us. End-to-end email encryption is a security feature. Think of it as being similar to the key-coded locks you have installed on all the outside entry doors on your building. Those doors stop the vast majority of people from entering your private office space. Will they stop a determined miscreant from piggy-backing in with an employee? Not all of them. That’s where training comes in. But the more you can eliminate the chances for human error to crop up, the more secure your corporate data will be.






Contact Us for More Insights

Contact Us