Have you heard the one about the lady and the email?
A lady walks into a police station.
“I would like to report a crime. My identity has been stolen and is being used to commit crimes. I have read on the web that an international gang has done this. Can you please send the police around to these people and arrest them?”
The police constable behind the counter looks perplexed: cyber crime is on the rise and it’s not local.
Police jurisdiction further complicates the issue. He advises her to report the crime online at Action Fraud.
We have to face facts. We have an international crime problem but a local police force. This won’t change in the near term so what more can be done? For a start we can do more to protect ourselves and be more diligent.
Education has to be a priority
Email has been around for over 30 years in the form of SMTP and for 30 years it has been insecure. Why has this been allowed to persist for so long?
The security industry is well aware of its shortfalls. You try and find anyone involved in formal IT security work who would send confidential information across the internet.
The Government would not be allowed to do it by CESG and, in fact, they have their GSI, so they don’t need to. This way, the security people are sorted and the government is sorted.
Then we have the Information Commissioner. He is part of government, so he is sorted, but only makes recommendations and guidelines for the rest.
The FSA did push for email encryption for the industry it regulated. So they were sorted.
But what about the rest of us?
This pull-up-the-drawbridge attitude seems remarkable. Those in the know are largely sorted, the rest are exposed to some serious risks. Couple this with the almost addiction level of email in society and especially in business and you get a real mess.
So what is going on?
My experience leads me to believe that we have a two-fold problem. The first is that the IT industry has solved most end-user security problems. Anti-virus is now installed on every machine as default, firewalls are in place in the operating systems and the ADSL routers and SSL is on nearly every transaction-based web site.
This leaves the majority of non-IT-savvy users exposed because they simply do not know that their email is a risk. Why would they? Why would the IT industry solve all the other problems and leave that one open? This false sense of security is going to take a long time to break.
The second issue is the tools available. PGP and PKI are simply beyond the average user’s capability. Most would not know what a digital certificate was, let alone how to get one, install one and share the public key.
Document exchange technologies that purport to be email are too cumbersome and the user base just won’t adopt such processes. In short, to date, the tools to sort the problem have been too difficult to use by the mass market.
But things are changing. New tools are coming on to the market. They are simple to use and adoptable for the mass market.
So why is the world not changing?
It is. Slowly. So it is going to need a nudge. There are three steps to getting an organisation to put in email protection:
- They must accept that email is insecure
- They must see it as a priority to sort
- There must be viable usable tools to solve the problem
12 months ago the legal sector probably had not grasped stage 1. Most now are at stage 2 and the tools are available, which sorts stage 3.
Media pressure is helping the education process, but it’s not enough. Email providers (of all sizes) simply ignore this problem and continue to sell insecure email solutions. This has to stop. The end users cannot be relied upon to sort this out. History shows with anti-virus, firewalls and SSL, that if people are left to their own devices, the issue will not get sorted. Why is it not standard now to sell a cloud email account with already built-in (or at least option of) email encryption?
This has to change soon and the IT industry needs to step up and stop selling insecure solutions. Period.
Simon Freeman
CEO of Fresh Skies Ltd www.freshskies.com
To report identity theft or other types of cyber crime, go to actionfraud.police.uk or call 0300 123 2040.