Sergey Nivens -

The Security Interviews: Making sense of outbound email security

Screening inbound emails is an accepted part of an organisation’s security posture, but the topic of securing outbound traffic is less often discussed. Zivver’s Rick Goud is on a mission to change this

When you think about email security, you think of suppliers such as Mimecast or Proofpoint, whose marque pops up at the bottom of millions of business emails as a guarantee that the email you are reading was scanned and deemed safe by its filters.

But Rick Goud, who came to cyber with a background in healthcare informatics, argues that the statistics clearly show that the biggest risk that email presents to an organisation’s security is not the act of receiving email, but the act of sending it.

Now, as CIO and co-founder of Zivver, the Netherlands-based firm he set up to revitalise secure communications, he is trying to make others understand this.

“It was around six years ago when I saw the GDPR [General Data Protection Regulation] coming up – it was not yet announced, but things were building up towards legislation,” he says. “When I looked around, I saw everybody using normal email, Dropbox, WhatsApp, snail mail, couriers, fax machines, insecure SaaS [software-as-a-service] tools or user-friendly portals to share very sensitive information.

“Every time I asked people why, and the answer was always: I don’t know how to do it easily and securely. I thought that was probably not true, but then I did some research and I could not find a solution that, at least according to my standards, was both secure and user-friendly enough.”

Also, all the solutions Goud found tried to focus on securing the transport layer and making sure that emails were encrypted and data could not be intercepted by a malicious actor, when the statistics suggested that actually, most data leakage through email is not caused by malicious actors, but by user error.

“Mistakes by employees actually cause 80-90% of all the data leaks, like mission-drift, using weak passwords, adding the wrong type of attachment, putting people in the CC instead of BCC, that kind of stuff,” he says. “And I saw that nobody really tackled that yet. That was the starting point of Zivver.”

Why is outbound security not being tackled, then?

There are two main reasons for the lack of attention paid to outbound email security, says Goud. The first stems from the conflation of different aspects of security into one concept that does not necessarily fit an organisation’s security needs.

“Until now, we have talked about email security as if it was one thing but, looking at the market, it is actually a collection of three different domains,” he says. “One is threat protection, one is brand protection, and the third is email data protection – securing sensitive data that you share via email.”

But traditionally, organisations have focused mostly on the threat protection bucket – and not unreasonably, he says. Phishing is a common touchpoint for cyber security – it’s what the average user is probably most aware of – and it is easily quantifiable and fixable for security teams.

“If you look at outbound email security, there are 10 different phases in the communication process where an error can occur, so it is more complex to secure than just the one incoming email touchpoint,” says Goud.

The second factor is the introduction of the GDPR and other relevant legislation outside Europe, which has made users’ own handling of their employer’s data a complex matter in risk and compliance terms.

For example, if adding multiple emails to the CC field instead of the BCC field is considered a GDPR breach, you would be hard-pressed to find anyone in any organisation who has not accidentally breached the regulations.

“I think it is this combination of it being harder to solve, and lack of awareness, that has caused most organisations to not tackle this yet,” says Goud. “That is changing fast, but I would be surprised if more than 5% of organisations really have appropriate measures in place for these risks.”

Read more about email security

These risks are important to address because without the development of telepathic means of communication, email is going to stick around for some time to come, and it is already several decades old.

“That’s the power of email, right? The power of email is that everybody uses it, everybody knows it and everybody can create things with it freely,” says Goud. “However, the protocol stems from the 1970s, it is not built for security and with it being used globally, having to involve a lot of stakeholders to evolve the protocol, it cannot keep up with the security practices that GDPR requires that you have in place.

“That is what typically creates a conflict in organisations. They want to use email because that is what their people use. They don’t want to use email because it does not comply to the requirements for GDPR and how to bridge that gap is one of the biggest struggles for organisations today.”

Training and awareness initiatives can help bridge the gap – but getting users to tedious PowerPoints (as many organisations persist in doing) is difficult and rarely pays off. Guidelines need to be concise and relatable, and with the best will in the world, that’s not an easy thing to make happen. This is why Goud recommends building elements of an outbound email security training plan into a multi-layered approach.

“With cyber criminals increasingly using email as their attack vector of choice, organisations need to deploy an easy-to-use email data protection solution that helps employees to make better and safer decisions when emailing sensitive information,” he says.

“Striking the right balance between security and usability is critical – easy-to-use security solutions that are intuitive and seamlessly embedded into everyday working lives will enable non-tech-savvy employees to participate in cyber security efforts.

“This multi-layered approach will optimise the efficacy of an organisation’s outbound email security, resulting in increased trust among customers – assured by the safe handling of their personal data – and preventing breaches of privacy legislation such as the UK DPA [Data Protection Act] and GDPR.”

Bridging the gap, Tesla-style

Perhaps the simplest way to explain how Zivver is reimagining email security is to draw an intriguing analogy with automotive company Tesla, which in recent years has fundamentally redesigned the idea of the car, while retaining its basic look and feel. The first version of the Model S even had a radiator grille, which made no sense for an electric vehicle, and which most current electric vehicle models (Tesla or not) do not have.

Goud believes a more radical design might have resulted in less consumer demand and adoption, and in areas where Tesla has adopted more unusual designs, challenges have indeed arisen – gull-wing rear passenger doors look cool, but if you accidentally open them in a multi-storey car park, you may have a problem. “With change, there always needs to be backward compatibility,” says Goud.

Simply put, by replicating what is expected of email security in terms of look and feel – Zivver integrates seamlessly with existing infrastructure such as Outlook, Microsoft Office 365 and Gmail – but doing something completely different under the bonnet, Goud reckons Zivver can completely refresh messaging.

Through a combination of supervised and machine learning, Zivver’s SaaS platform examines emails as they are being written, taking into account factors such as the email’s content, what constitutes normal user behaviour and so on, and determines the appropriate levels of security to apply based on context.

For example, someone sending a quick message to a frequent contact that says “I’m running late, see you in five minutes” is probably OK, but someone sending what appears to be medical information or social security data to a new contact would prompt warnings for the user and the application of measures such as encryption.

“We are trying to transform digital communication not by being email, but by disguising ourselves as email”
Rick Goud, Zivver

“All these things we can detect while the user is typing, before sending, but we can only do that because we’re not email,” says Goud. “By disguising that functionality in email clients, we can help prevent the errors that people typically make with email.”

On sending, the platform transforms the message into the required format or communication protocol, adding capabilities such as enabling documents to be digitally signed, or directed to non-email systems, such as an enterprise resource planning (ERP) or customer relationship management (CRM) system.

By framing email through the lens of personal habit and business benefit, Goud says the platform can support an ever-increasing range of use cases, all spiralling out from the idea of traditional email, and empowering organisations to prevent accidental data leaks.

“The guys at Tesla understood that they had to disguise the car of the future as the car of today so that people would know how to operate it, while under the hood, it had nothing to do with the car of the past,” he says. “That is how we are trying to transform digital communication – not by being email, but by disguising ourselves as email, so people do not have to change the way of working.

“Then we can be a future-proofed partner for organisations to work in a secure way. That’s a long-term goal of the company, not to be an email provider but to be a communication partner. If an organisation has asked me for secure email, they are not asking for a secure protocol, they are asking for a way to let their employees communicate.”

Read more on Privacy and data protection

Data Center
Data Management