It’s not just Hillary: Everyone’s “Extremely Careless”

In light of 24/7 global coverage of email scandals — most recently involving Hillary Clinton and the Democratic National Committee — Fortune 500 security execs must be all over this whole email security problem, right?

Shockingly, no.

In my role as founder of Inky, a purveyor of secure email solutions, I regularly talk with C-level executives about computer and network security. The dirty little secret is that, of all the Fortune 500 companies I’ve spoken with, exactly one — a defense contractor — routinely sends encrypted email . The number that encrypt every email exchanged between their employees? Zero.

One household-name investment firm I spoke with has no facility at all in place for encrypting mail sent from mobile devices. As a “matter of policy,” their employees are instructed to send Personally Identifiable Information — what security wonks call “PII” — only from desktops, using a cumbersome web portal for encryption. I’m sure no one ever violates that policy. Just like no government official ever sends sensitive material from a personal Gmail account — to do so would violate policy!

The FBI recently released stats on the staggering scale of just one aspect of this problem: so-called “spear phishing” attacks that rely on email forgery have cost U.S. companies three billion dollars since 2013 — and that’s just from the reported incidents.

The typical ruse is an email from “your CFO” asking that money be wired immediately. Of course, it isn’t actually your CFO. It’s a forged message, and the wire instructions lead to an organized crime bank account. But it looks exactly like an email from your CFO — sometimes even down to mimicry of his or her personal salutation and closing. “Team: … Brgds, Phil”

State actors, too, use this “vector” (as it’s known in security argot). Spy agencies find it handy for installing malware on companies’ internal networks so they can look around freely and exfiltrate any juicy intellectual property they come across — all because a single employee opened an email with a booby-trapped Excel attachment sent “from the CFO.”

A major insurer told me they pay for five different “solutions” to their growing phishing problem — including a “training program” that generates fake mails to employees to see how many get opened… to quantitatively measure how gullible employees still are, I guess? Never mind that none of these “solutions” actually solves anything: rather than prevent email forgery, most simply eyeball each message to see if it “looks” phishy. This kind of guessing game approach isn’t — and can’t ever be — a sure thing.

What makes the slow-motion catastrophe around email security so absurd is that the technology to truly prevent all of this has been around since the late 1990s. Around the same time Amazon still needed to convince you it was safe to use your credit card online, Internet standards bodies were putting the finishing touches on detailed guidelines for how to implement fully interoperable encrypted and digitally signed email.

The details are complicated, as usual, but at a high level it’s simple: encryption provides complete confidentiality from everyone but the intended recipients, and digital signing prevents forgery. When used “end-to-end” — where every individual user has his or her own encryption and signing keys — these two measures completely eliminate the lion’s share of email security problems.

What’s even more outrageous is that this stuff is already baked into Microsoft Outlook, IBM Notes, and Apple Mail — the three email clients that dominate corporate communications.

So why doesn’t anybody use this ounce of prevention? In short, because it’s a pain. Said defense contractor likely has dozens of staff devoted to coping with the complicated infrastructure that manages and distributes the encryption keys to their employees. Most companies outside the defense sector don’t even know where to start with this stuff. And, of course, nobody wants to break the boss’s email.

My own company’s product, Inky, eliminates all this complexity — employees and IT staff don’t even have to know they’re sending 100% encrypted email — but frankly even that hasn’t been enough to motivate a mass migration to ubiquitous encryption.

In my personal experience most organizations remain dedicated to the same old “whack-a-mole” game of tracking specific threats and countering them — treating the symptoms rather than underlying diseases. This Excel file is malware — so make sure we block it! That PDF has a new zero-day exploit — add its signature to the database of a billion known pieces of malware so it won’t get through again! These are band-aid measures that skirt the real issue that our email infrastructure is cancerous and needs a strong dose of cryptographic chemotherapy.

Frankly, FBI Director Comey’s assessment of Secretary Clinton’s failure to encrypt her emails as “extremely careless” applies in equal measure to the entire Fortune 500. (If I’ve missed one that does encrypt all their email end-to-end, let me know; I’m dave@inky.com.)

Until Fortune 500 leaders start to take this problem seriously, plain old boring email will remain the number one attack vector through which their companies continue to be exploited. And the headlines will keep coming.

But don’t feel bad, Fortune 500s! The entire Congress — including the very same folks calling for Hilary to be prosecuted for email security negligence — are sending email without end-to-end encryption too.