Email was not designed to be secure

We have such a misguided perspective of email and email function. We send emails, expecting them to be instantaneous-to arrive with immediate effect. Many of us have experienced email behaving in this way and because of this we know no different. This is not how email was designed to function.

Looking back, over a decade, email practice was designed to support servers with intermittent connectivity and can be described as ‘store and forward’. It was not uncommon for email to take a substantial amount of time to be delivered. That being said email was stored and then forwarded on to the recipient resulting in emails being dispersed across the internet.

Although we now have the expectation for immediate emails, it is not always the case. Incidents do occur where emails are delayed, maybe going unnoticed, where email delivery is temporarily halted. In such cases the emails are stored until delivery can take place. This is more noticeable when bulk email is sent compared to a single email delivery. It is important to be mindful that just because the delay may be overlooked, it does not mean that it did not happen.

The apprehension is that these stored emails are exposed when not properly secured. Our perception of email is skewed, so many of us do not realise that this vulnerability even exists and therefore do not take the necessary actions to avert it.

Moreover, email is being stored on devices that are not in our control and most emails (over 99%) are stored in clear text leaving the emails exposed and vulnerable. Encryption tools, play a part in protecting the email and its content.

Awareness plays a fundamental part in securing our data. Without this awareness, people will continue to assume that their emails behave in a manner similar to that of instant messaging and any risk will continue to go unnoticed. We must take responsibility for our data security and this includes our email and their content. The integrity and value attributed to our data is mounting. Something must be done to achieve the needed security within a practice that did not have security at the forefront of its design.