Email has been around for a while, and I really do mean a while: it was first conceived back in 1971, by US Defense Advanced Research Projects Agency (DARPA) programmer Ray Tomlinson. Whilst electronic mail services existed in the 1980s, the internet boom of the 90s really added rocket fuel to the solution, delivering 400 million email users by the end of the decade.
An impressive global communication system that united users with incredibly low barriers to adoption for sure, but with every successful thing, some will look to exploit it. Spam, information theft and a range of other attack vectors suddenly became possible at a previously unimaginable scale. Aided by the plethora of leaked personal information delivered via social media and poorly secured web sites, it became increasingly simple to target users.
Even the least technical lay-person probably has personal experiences demonstrating how they were compromised. Password solutions, OAuth, 2 factor authentication and other layers make it better, but fundamentally once inside someone’s email account the access to information is breathtaking. Not just the information contained in the email, but also the access it gives to other systems, and the ability to socially engineer that information from others.
And yet, the willingness to hold onto this form of communication is insanely strong. Despite an array of highly effective solutions that deliver far more effective and dynamic communication between users and groups, there are still those that say, “No, I prefer email.”
These preferences bleed over into real world situations. During some recent mortgage conveyancing, I was more than a little surprised to be told that to share files with my solicitor, I could not use a secure file sharing tool as their insurance would only allow transmission via email. It’s fair to say there was a long pause in the conversation at that point where I mulled the point of explaining why that might be bordering on an insane risk assessment on the part of the insurer, and then thought the better of it. Mostly.
Arguably the widespread adoption of consumer solutions like WhatsApp may be moving the needle, and generations of users are engaging with electronic communication in a totally different way. WhatsApp for users and business, group chat and DMs on Instagram and other social media tools are increasingly the norm, and enterprise collaboration tools like Slack and Teams are commonplace. Ah so then it’s solved, we’ve moved on, right?
Well no, not in a business sense. To my mind the best communication systems are only effective if a wholesale move has been mandated. In most organizations we speak to, even where these communication tools are implemented, the old ones are left online. This multi-channel mix can include everything from email and collaboration, Skype messenger, proprietary e-notification systems, market orientated solutions like Symphony (a finance communication platform), as well as in-tool communication in project management tools and the like.
As a result, if a user wants to reach someone with confidence, and they’re not sure which tool is best, they reach for the lowest common denominator – good ol’ email. Or worse, they send it over multiple channels to cover all bases. In all the confusion, the result is significant noise, inefficiency, lack of auditability, highly unstructured data, and of course an unnecessarily wide range of attack vectors, of which email is most susceptible to attack.
Set the Communication Strategy across the Organization
So, what is to be done? Let’s kill email, for a start. Not entirely, you understand: I’m not so bullish that it would be possible, and I still think email has a place in the mix. It just shouldn’t be the communication for most things. Therefore, to enable a better-thought-out communications strategy without email at its center, organizations need precisely that.
Enterprises need to come up with a communication strategy and make sure their users know it, and work only within it. This is more than just, “should we use Slack and Teams etc,” but a well thought out and consistent way that users should approach how they communicate about a topic, how they share and collaborate on assets related to it, and actions only taken if communicated via the right channels.
Champions are needed to set up and moderate groups/channels. Projects need to be run in for-purpose solutions rather than excel, with users commenting directly on tickets. Asset sharing should be done via these solutions, with ideally secure repositories for the long-term storage of the materials. I know, for a few organizations this may not be rocket science, but many others still live in a world where anything goes, accepting the costs and risks associated with that.
Getting communication strategy right has a multitude of benefits. Enterprises can be far more insightful about the decisions they made at the time, as the information is all in one place. The whole body of information can be more easily found, which can in turn more accurately shape forward strategy. Time wasted working out the, “I was sent that but I don’t remember where,” can be largely eliminated. Delays in users picking up messages and responding are reduced. Users, groups and teams can be kept in the loop far more easily, by communication being filtered at source.
Then there are the range of AI/ML solutions that can augment communication from in-call prompts to workflow triggers. Don’t get me wrong, some teams within organizations do this now, but rarely (I would argue) across an enterprise and beyond. While benefits are broad, risk reduction stands head and shoulders above the rest as an area of significant benefit, and one boards recognize it is worth investing in.
To return to this premise – if users know how to communicate, and particularly where the bulk of such comms are on administrated internal systems, then the opportunities for phishing, link bait and social engineering attacks become far more difficult. The email from the CEO asking you to send an apple gift card is already almost comical, but what if all abnormal communication looked that jarring?
That is not to say that there are not serious implications to designing a secure communication system in how systems connect to each other, privileges to see communication threads and so forth, but at least they are in principle controllable systems, which can send potential breach events to Security Incident and Event Management (SIEM) solutions.
Zooming back a little, a myriad of culture items that might be improved by helping understand both positive and negative communication behaviors, and working with users and teams to improve ‘effective communication’. Given the era of distributed working that we have embarked on, this can only be seen as upside. Today’s users are no longer in the room with each other having casual conversations, building rapport or understanding cultural norms of an organization. Therefore, fostering professional relationships between colleagues can be hugely impactful down the line, when dealing with urgent issues, escalations and personal situations alike.
Now more than ever organizations need to think about internal and external communication, set a strategy and do more than just encourage adoption. This means holding the line with everyone from the new intern, to the CxO member who ‘is a bit old school’. A lofty goal, and likely a journey rather than a lightswitch event. Those that embrace the journey will no doubt gain a strategic advantage in the war for talent and the development of ‘culture’. Organizations concerned about the risks associated with email traffic, and how they might be mitigated, can start with communication strategy and gain a much broader range of benefits at the same time.
Subscribers can read our Radar on Unified Communications as a Service here.