The NY Times recently published an article Could Gen Z Free the World from Email. I’m not a member of Generation Z and I just missed the cutoff for Millennial but I can’t agree more – email is the worst form of communication. Putting aside the anxiety it causes, the constant disruption, and the sheer volume of “unreads” that plague your mobile device’s home screen from being free and clear of badge notifications is a more important underlying problem – email is your biggest security risk.
Email is your biggest security risk
Let me explain why:
Lack of Encryption
First off, unless you are a bank, financial institution or you’ve invested in third-party email encryption technology, your emails are not encrypted; they are sent in plain text over the public internet – and if you don’t have proper email security measures like DKIM setup those messages can be intercepted and modified in transit – this is the digital equivalent to someone sending you a letter only to have a threat actor intercept it and change the letter before re-sealing the envelope and then having it delivered to you.
Everyone has Access
Second, everyone has access to it – everyone. Do I mean that anyone can access your emails in your inbox? No. I also don’t mean that anyone can access your email server or hosted email solution. What I mean is that there isn’t a threat actor alive that couldn’t easily find (or guess) your email address and send you a malicious email. There also isn’t a Sales Development Rep or Business Development Rep who couldn’t find it either (thanks to data mining services like ZoomInfo, InsideView, Lusha, D&B, etc.), who accidentally clicked on a phishing link yesterday, infected his machine with CryptoLocker, and is now sending you that same CryptoLocker link – also accidentally. Think I’m kidding? Just look at how crowded the Sales Intelligence G2 grid is.
Anyone can send you an email at any time and it can contain any number of malicious threats; phishing, viruses, malware, trojans, etc.
Calendar Invites
Because everyone has access to it what has been happening more recently is unwanted calendar invites. Your calendar (Google Calendar, Outlook Calendar, etc.) automatically adds a tentative meeting when it receives a meeting request by email. So, anyone can just plop random calendar invites onto your calendar – and these can include malicious links or attachments too!
Attachments
Which leads me to my last point – attachments. Email was never meant to be a file transfer protocol (FTP) but it became one – and anyone can send you any attachment (granted many popular executable extensions are blocked by default – but that’s easy to get around). As a result people sling files back and forth via email and unknowingly download threats that come through this threat vector.
Most Domains Lack Basic Security
Proper email security starts with setting up a slew of DNS records. Records for SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting & Conformance), TLS reporting, MTA-STS (SMTP Mail Transfer Agent Strict Transport Security), DNSSEC (Domain Name System Security Extensions), and the new BIMI (Brand Indicator Message Identification) record – which requires a fully enforced DMARC policy are the security measures available to domain owners. However, according to a recent study, only 14% of all domains have a properly enforced DMARC policy (which requires both SPF and DKIM to be setup properly first). Said another way, 86% of domains lack these basic email security standards leaving them susceptible to spoofing, phishing and other threats.
Adding an email security gateway (from Mimecast, Barracuda, Proofpoint, etc.) that scans email for malicious content and attachments and prevents them from being delivered to your inbox is also an additional security measure that can be taken. This is usually only seen at the enterprise level, however many Managed Service Providers (MSPs) do provide this service to their customers as well. There are also reverse proxy solutions (from companies like Zscaler) that will trap the request to a botnet or malicious site before it completes but, again, this is a technology usually only seen used at the enterprise level.
Make no mistake, these measures are not easy to setup. Something like DMARC can take months, or even over a year, to properly setup due to all of the prerequisites and none of these solve the problem that everyone can access you via email. Threat actors will always find new ways around these measures. If you’re someone who (can) check their personal email on their work device (and do so), you’re introducing an unmanaged. threat vector and none of the security measures above apply. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 43% of breaches involved phishing – that’s email, and that’s just phishing – 67% of all ransomware deployments were via email as well.
So what are the alternatives?
As the article states, most Gen Z prefer Google Docs, iMessage, and Zoom. The one thing that all three of these applications have in common is chat functionality.
Slack is the dominant chat player (and they will be offended by the fact that I referred to them as such as they are so much more, but at the most basic level that’s what they are) and has been trying to kill email since its inception and Slack Connect might be the way to do it. However, this is ripe with security issues and gives CISOs and CIOs alike a different kind of anxiety because, by default, any user can invite any other Slack user – a governance nightmare.
However, the problem is that until Slack kills email (or something else does), having to check email and chat (and receive notifications for both) actually increases the amount of disruption, effectively doubling it!
The most simplistic solution may be the best solution.
The most simplistic solution may be the best solution and that is to alter our use of text messaging. As noted in the article, giving out your personal mobile number can destroy your work life balance. However, using a service like Google Voice or Dialpad to get a business phone number (or just an alternate phone number) that has texting capabilities (harder to do outside the US in Europe and other countries mind you) in an app that works across your devices enables you to have that work-life balance. I’ve been using one for years to keep from giving out my personal mobile number to anyone that’s not a close personal contact.
Until email is dead, here are some are some tips to help manage email more effectively:
1. Turn off Notifications
The only thing that gives me more anxiety than email banner notifications on my mobile device is the constant sound that goes along with it. Turn off email notifications on your your mobile device as well as your computer. Check email on your time and have pre-determined times or pre-determined intervals that you check, and respond, to emails.
2. Separate Church and State
Don’t use your work email for personal use and vice versa. Have a separate email that all your Netflix suggestions and personal communication goes to will help insure that you can focus on just checking the work email and not waste time sifting through, classifying, or deleting personal email. Having a separate account will also allow you to completely disable it when you need to – this is helpful when you’re going on holiday/vacation and want to completely disconnect from work but still need your personal email to lookup your hotel confirmation number.
Bonus Tip: Don’t add your personal email account on your work device. This is not only a huge security issue – as it introduces another unmanaged threat vector – but it is also a privacy issue (your company could see all your personal email depending on what and how they monitor the device) as well as a legal issue – any data stored on that work laptop could be subject to discovery – this is also why you probably shouldn’t log into your personal iMessage account or personal WhatsApp account on your work device (those messages are stored as files on the device and the iMessages aren’t encrypted…).
3. External Email Only
If I started another company this would be top on my culture building list. Until there is a better solution available email would be used for communicating externally only – meaning with customers, vendors, or partners. Any internal communication would be done through an instant messaging platform, be that Slack, Google Chat, WhatsApp, Dialpad, etc.
Even if this is not your company’s policy you can still employ it. If someone internally sends you an email, reply on instant messenger. Remember Tip #1 and have set times when you will check email – this makes your replies take longer, so make sure you respond more timely on chat. This will help re-train the behavior of those that interact with you. Over time they will realize that reaching you on chat is the fastest way to get a response and will default to that.
If you look at what Google has been doing with Google Workspace, they have been attempting to merge the mail application with the chat, video, and collaboration applications; both on mobile and web. According to the 2020 study, as referenced in the NY Time article, by Creative Strategies, Google Docs was ranked as the app most associated with collaboration for Gen Z. You can now respond to comments in Google Docs from your email and directly access chat and video without leaving the mail application. In addition, you can add external companies and contacts to Google Chat much like you can do with Slack Connect. They’ve also had Google Voice since it was they acquired Grand Central (for those of you who remember that); an innovator in the space. Maybe Google will surprise us with a solution to this problem.
