Indictment of Russian Yahoo hackers sounds the alarm on corporate email encryption

State-sponsored international espionage masterminded by Russian hackers brings one of the world’s largest, most secure email providers to its knees. Reads like the back cover of a spy novel, doesn’t it?  But there is nothing fictitious about the Russian cyber-attack that compromised what was originally thought to be more than 1 billion Yahoo accounts – and was recently revealed to be 3 billion. In other words, every single user at the time of the hack.  The Kremlin’s FSB (Federal Security Service) mined them for intelligence while the hackers hired to do the job were able to help themselves to credit card passwords and user information. The case continues to send a loud and clear message throughout America’s IT spheres:  If you think your email security is sufficient, you’re wrong.  Among the most vulnerable weak points exposed are commonly accepted encryption standards.

 

 

Two primary email encryption methods provide false sense of security

 

The two most widely applied email encryption processes are encryption in transit and encryption at rest. The upside of encryption in transit is that it prevents would-be hackers from seeing the data flowing across the internet. The downside is that the data is decrypted at the server in order to allow the recipient to view it. The danger lies in the potential for a hacker to breach the server, view and compromise the data.

 

With encryption at rest, data not being viewed via the server is encrypted in the storage media on cloud servers when not being used.  The security promise is that this prevents an attacker from accessing information on physical disks that were stolen from a data center. The benefit, however, is limited; most hacks take place over the internet, rather than by physical data center theft.

 

Whether it’s a cloud-based webmail platform or enterprise system, the server is the central and most vulnerable attack point.  Although headline news focuses on the large, notorious cases involving the big webmail providers, there’s no telling how many corporate breaches happen outside of the spotlights of public interest and international espionage.

 

IT managers and the C-suite are aware of the potential for corporate data theft via their communications platforms. What they may not realize, however, is that there are services designed under the assumption that the server will be compromised.  These services use end-to-end encryption, the “gold standard” method with no central points of attack, to protect user data even when the server is breached.

 

End-to-end encryption covers data in transit and at rest; messages and attachments are encrypted directly on the sender’s device and are decrypted on the recipient’s device. This means that only the sender and recipient can read them; the server cannot. In addition, the server does not have access to the decryption keys (as it does in encryption at rest).

 

 

Breach blindness caused by lack of an easy solution

 

Most people, even the non-technical, experience a vague sense of unease when asked about their email security.  There’s a resignation regarding personal accounts that the vulnerability caused by the need for servers to “read” emails in order to identify consumer trends and advertising opportunities is the price you pay for free service.  Employees of companies large and small also realize that administrative access to their email via the server is a condition of their employment.

 

At the same time, IT and executive leadership realize that something more is needed than the encryption methods that served to protect their businesses in the past. However, they can be reluctant to implement an end-to-end encryption solution, due to the misperception that it is difficult to use and outside of the traditional B2B workflow. Instead, all too often, management takes action when the company falls victim to a breach and suffers financial and/or reputational damage.  By then, it’s too late.

 

One thing is clear: corporate America needs to realize that cybercrimes like the Russian Yahoo attack hit much closer to home than it thinks. You don’t have to be an agent of Russia to hire a professional cyber-criminal. Any competitor, industry spy or disgruntled ex-employee can do it, too. On the flip side – you shouldn’t have to be an IT professional to use end-to-end encryption. Even the strongest encryption won’t benefit your business if your employees find it burdensome to use, and so skip doing so all too often.

 

Our system, PreVeil, uses end-to-end encryption to protect against attacks on the server, while making the process of encryption easy for all employees to use. PreVeil email is designed to work through a browser on a computer, or with an app for iPhone or iPad. There is no special email or domain required, so users are identified by their regular email address. No log-in. No pop-up box. No “encryption theater.”

 

In addition, decryption keys are stored only on the user’s authorized devices, and are never visible to the server. This means that not even PreVeil has access to the decryption keys, which are controlled by the end users (and ultimately the organizations where they work). And finally, most systems have the concept of a “super-user” or “administrator” who can access all information in the system – presenting a centralized point for targeting by hackers. With PreVeil’s “Approval Groups,” trust is not centralized, it is distributed amongst a set of administrators or users. No one person within an enterprise – whether they’re hacked from the outside, or are themselves an insider threat – can bring the entire business down.

 

Whether it’s a Russian hacker attacking Yahoo, or breaches of companies whose very mission is to keep that data safe such as Equifax, there’s a basic lesson to be learned for your business: what you think is safe enough, isn’t. Your next step: deploy an encryption method that covers your business from stem to stern, with no central point of attack, yet so easy your employees will use it consistently. Learn more at www.preveil.com.