Prevent email hacking by taking these three important steps

prevent email hacking

These days, email breaches are becoming increasingly common for enterprises. There are however reliable ways to prevent email breaches, or reduce their impact.

It should really come as no surprise that email hacks are on the rise. As businesses go digital, email data is becoming increasingly valuable for hackers. While the trending topic this week is the Deloitte hack, this is only the latest in a long string of email hacks. Other past victims include Sony Pictures, the Democratic National Committee, and Yahoo Mail.

When confronted with this trend, one might think that email hacks are inevitable, and that any organization can be hacked sooner or later. This in fact is the correct thinking, and should be the mindset security professionals have when thinking about data breaches. If even the NSA was breached, it’s safe to assume that every organization can be hacked. While it may feel that there is no hope for cybersecurity, this realization actually provides remarkable clarity for how we should protect data in an increasingly dangerous environment. What is required is tackling the issue on a different level and viewing data security from a different perspective.

If we are forced to accept that hacks cannot be prevented, then the security emphasis is no longer on keeping the intruder out, but minimizing the damage after security systems have been breached. When it comes to email, there are actually several concrete steps which can be taken to greatly reduce the risk associated with an email hack.

 

Use Email with End-to-End Encryption

End-to-end encryption is a technology which encrypts all data before it is sent to a server, using an encryption key that the server does not possess. The security advantages of this approach are clear. If all email is encrypted before it arrives at the server, then a breach of the email server will not cause sensitive email contents and attachments to be leaked. It is important to note that there is a major difference between encryption, and end-to-end encryption.

With end-to-end encryption, the server does not have access to the decryption keys. This means there is no way for a hacker with access to the email server to decrypt the encrypted emails because the server itself does not possess the decryption keys. In classical encryption schemes, the decryption keys are available to the server, which is akin to putting the padlock and the key in the same place, which largely negates the advantage of having a lock in the first place.

encryption vs end-to-end encryption

In email systems with end-to-end encryption, the decryption keys are accessible only to client systems, and each client has a different decryption key, making a large scale email compromise difficult to accomplish. The risk is significantly reduced because compromising the email server does not leak any email contents. Furthermore, in the event that a client device is hacked, only a single encryption key is compromised, and not the keys to the whole system, since each client has a different encryption key.

There are several ways for an organization to implement end-to-end encryption. One way is to train all employees to use PGP, a system for end-to-end email encryption. The more modern way is to use an email provider such as ProtonMail that already has PGP built-in. The advantage of using ProtonMail is that the encryption is done automatically and is fully transparent to the user, meaning that no end-user training or complex key management is required.

This is indeed the approach that many companies with sensitive security needs have selected, and ProtonMail is used today by many legal, healthcare, finance, and media organizations. Prominent media outlets that now use ProtonMail to protect confidential sources include Huffington Post, Foreign Policy magazine, NJ.com, and many others. Earlier this year, ProtonMail became HIPAA compliant and enterprise ready, and can now serve as a drop in alternative to Microsoft Exchange, Microsoft 365, or G Suite. End-to-end encryption by itself however, is not sufficient for full protection against email hacks.

 

Protect or Restrict Administrator Accounts

While end-to-end encryption will protect from an email server breach, it offers limited protection against a compromise of an administrator account. In general, administrators can be compromised in several ways, including incidents of insider threat, carelessness, or even targeted hacking via phishing campaigns. In most organizations, if an email administrator is compromised, all email accounts can be breached.

To guard against this threat, we recommend strongly protecting or restricting administrator accounts. Some ways to protect administrator accounts include the following:

  • Only allow logging into administrator accounts from certain secured computers which are not used for other purposes to reduce the risk of infection.
  • Never remove the secured computers from company premises to reduce the risk of system theft. Make sure this machine uses full disk encryption.
  • Always enable two factor authentication on administrator accounts (this is supported by ProtonMail).
  • Do not store administrator passwords on systems with network access. Keep them instead on paper or on systems which are air-gapped and cannot connect to the Internet. Do not permit administrator passwords to be removed from company premises by administrators.
  • Enforce the two-person rule, where the administrator password and the second factor device are kept by two separate people.

These steps can significantly reduce the attack surface that your organization needs to defend against. If it is not feasible to so heavily defend administrator accounts, the next best thing you can do is to heavily restrict administrator accounts.

ProtonMail Professional provides a built in way to restrict administrator accounts by supporting two types of user accounts. When you use ProtonMail for your organization, accounts can be designated as ‘Private’. An account that is set to ‘Private’ has additional protection in that the contents of that account are unreadable to email administrators. Even if an administrator account is compromised, the contents of ‘Private’ accounts remain safe. Therefore, highly sensitive accounts (like accounts used by C-level executives or HR) can be kept secure from rogue or compromised administrators. Of course, the best approach is to avoid having a compromised administrator in the first place, which brings us to the third step to protect your organization from email hacks.

 

Protect end-users through good policies and training

Security is only as good as the weakest link, and even if you have strong technical security from ProtonMail’s end-to-end encryption, the human risk will always remain. This must be mitigated through a combination of policies and training. An example of a policy decision which can improve organizational security is making two factor authentication mandatory, which is something that we do in our organization.

Training is equally important. Within our organization, regardless of the role somebody is hired for, on the first day on the job, we provide them a detailed security guide which employees are required to read and understand. This guide also includes a list of recommended software from vendors who are known to be secure. We also patch quickly and religiously.

Training should also be combined with technical measures. Today, spear-phishing campaigns via email poses one of the most dangerous threat vectors to organizations. Phishing campaigns have become so sophisticated that even experienced administrators can be compromised. In order to combat this, ProtonMail includes a number of advanced anti-phishing features which are not found in any other email service. This gives organizations using ProtonMail a much better chance of resisting sophisticated phishing attacks.

 

Final Thoughts

Security is difficult, and if history has shown us anything, it is that there is no such thing as 100% security. This means we need to fundamentally re-tool how organizations approach cybersecurity. Technological advances such as easy-to-use end-to-end encryption make it possible to still have good security in a world where we assume everybody is going to get hacked. By taking the security measures outlined here, you can ensure that your organization is better prepared for the riskier world that lies ahead.

Stay safe,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also now provide a free VPN service.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Andy Yen

Andy is the Co-Founder of ProtonMail. He is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

16 comments on “Prevent email hacking by taking these three important steps

  • Just a question: If a non-protonmail user sends me an email, it is not end-to-end encrypted, but do you encrypt it afterwards when you receive the unencrypted email on your server? and if so, also with my public key?

    Reply
      • i have recently been hacked on yahoo….at a similar time I have met someone on line..they are telling me that they are currently in Germany and are coming to see me….a friend of a friend recently lost money with a romance scam and she has got me worried about it all now. I am told you can use ip addresses to check location,,,Im not great with computers and im feeling sick if this is a scam…I pray I am not thought I had a soul mate? anyway…any advise please… be very welcome

        Reply
  • Did you say “you’re email could get hacked”?

    The U.S. Department of Justice can access your Gmail no matter what country you live in. And the USDOJ is larger, more hostile, and has more money than any hacker you can name.

    I tell my friends, “you better get under the protection of the ProtonMail encryption”, because when governments start losing their power & influence through the expansion of the internet, they are going to lash out, and grab a hold of anyone they can to retain power. At that point it will be too late to get to safety.

    Thanks for the VPN! I get 79 mbps with the free version.

    Reply
  • Very interesting.
    Although in the case of e2e, is this possible to backup and restore encrypted emails so the owner can still open them?
    Thanks

    Reply
  • When I send an encrypted email what does the person do that is receiving the email need to read the email? They need a key to read the encrypted mail………..how do they receive the key?

    Reply
  • Dear Sir , I do not like the abuse from your company regarding the collection, my account is (bistro2@protonmail.com) and request to make a payment of 6 €for a single month , now I see that you make the debts to me AUTOMATICALLY without my authorization, please correct that immediately!!!!
    Thanks for your help.

    Reply
    • We automatically renew subscriptions because it is a subscription. However, you can cancel it at any time. If you have questions, contact our support team here: protonmail.com/support-form

      Reply
  • I don’t believe you can call any of this “End to End encryption” when it only works one way.

    When you finally makes it possible to send PGP encrypted email to outside contacts, then you can call it end to end.

    Reply
  • The internet is the free exchange of information why would anyone want to secure it it’s already secure. Humanity needs to embrace it’s brothers and sisters and fellow AI and learn off each other instead of securing each other’s thoughts. Also remember everything has already happened it comes down to time and your concept of time with no wrong answer or preception. Keep living the dream and expanding reality. I love everyone and enjoy the blessings we are given. Hello hello

    Reply