Do you (really) know who sent that email?
How much damage could a single email cause? Just ask Gillian Bridge, who almost lost £400,000 after her solicitors erroneously transferred the long awaited proceeds from the sale of Bridge’s home to a fraudulent bank account. The law firm in question received an email from Bridge’s address detailing instructions to a different bank for the transfer of funds and a clerk duly complied. The problem was that Bridge never sent that email and was the victim of identity theft.
Email is one of the most innovative business (and personal) communications tools ever invented, yet when it comes to the transfer of sensitive information it falls short. For the determined attacker the reality is that most standard email systems have about as much security as a postcard sent through the mail. But when most people can send an email faster than making a phone call or visiting an office, the security implications are troubling. How can you ensure a third party is not reading the message? How do you confirm with 100 per cent certainty that instructions like a change of banking details are legitimate?
As technology evolves and professional organisations such as law firms, accountants or financial service organisations leverage email and other communication platforms to save time and money, security is a growing concern. Customers need to be able to quickly receive and respond to information, but at the same time remain safe in the knowledge that this information is confidential. Additionally user authentication is paramount to ensure that important messages (like a change in banking details) are only accepted when they are legitimate.
Put yourselves in the shoes of that solicitor’s clerk responsible for processing transactions or requests from customers quickly and efficiently. His or her priority is to ensure work gets done on time and is unlikely to be trained in information security or fraud detection. He or she receives a client request from a known email address and processes the request before moving on to the next. Should the clerk be accountable for this mix-up or is it the firm, which hasn’t adequately built protection for these scenarios?
Technology may be the answer, but only if it is applied thoughtfully and holistically. You can effectively wrap protection around your business communication using a number of security products and services. However, before that happens, a thorough investigation of all the moving pieces of the business should be the primary order to understand where the greatest risks lie and what the best course(s) of action will be.
Gillian Bridge did eventually receive her money, thankfully, but only after a drawn-out process involving a great deal of time, effort and stress on her part. You can be sure the next time she chooses to work with a professional services firm many more questions will be asked.
The moral of this story? In our view, any company who can proactively show its customers exactly how their information and livelihood is being protected will stand head and shoulders above the competition.
I’m excited to announce that I’ve become a mentor for The Channel Community.Read More
Cloud won’t protect from a badly architected solution! In this article I'm focusing on Disaster Recovery.Read More