In a recent episode of the BBC documentary series Panorama, film makers looked at the true nature of cybercrime and hacking. The programme covered the security risks associated with seemingly private forms of communication and, in particular, email security.
The BBC isn’t alone. There has been a considerable push to educate businesses and individuals about the risk of cybercrime, from the government’s in-depth guides to cyber security to the simple, consumer-focused Get Safe Online.
As a result, IT security awareness has increased dramatically. But awareness isn’t enough. Securing technology takes action.
So why is it so easy to find companies who are still making the same old security mistakes, time and time again?
Without email security, email isn’t a secure way to communicate
You’d expect a reputable Central London estate agency to use secure processes. Even more so if they already used electronic document signatures and showed a great deal of consideration to handle contracts digitally.
And the last thing you’d expect is for funds to be requested in a simple plain-text email. But that’s exactly what happened to our colleague, who recently went through the process of moving home. He was sent requests for funds in plain-text emails – not just once, but multiple times.
Typically, a request for funds or invoice will include:
- A breakdown of amounts due, including rental or purchase prices
- Contact details for your existing and future address
- The bank details required to make the payment
All of this information is confidential and personal. If the email was intercepted – which is perfectly possible given the absence of any encryption or secure connection – it would all be exposed to a third-party.
However, the real issue isn’t just one of interception. It’s the implications of an attacker modifying the email before it reaches its destination.
An attacker could intercept the email, change the bank account details to their own, and then send the email to its final destination. In that instance, a customer would make payment as instructed – and would only realise they had transferred money to the wrong account when the agency begins to chase them for their money.
Unfortunately, by this point, it’s too late. Someone needed to take responsibility for security – and take action – long before this point.
Who is responsible for security?
When confronted about their lack of security, the estate agent was perplexed. This issue was clearly part of their repeated, regular processes, and nobody else had shown any concern.
So who is responsible for setting the standards? Should the estate agent take the lead on security, or wait for a customer to ask how information is kept safe?
The answer seems obvious, but security costs money. It’s only natural that, when the customer will bear the brunt of a breach, estate agents – and every business – is reluctant to take a proactive stance. They don’t feel like they have much to lose.
In reality, though, these agents are leaving themselves exposed. Their bank balances may not suffer the immediate impact of a breach, but their reputation will. That’s why it’s vital that every business considers the security of its communication.
And, with the right solution, your response can be as easy and cost-effective as your fairly limited level of exposure dictates.