Microsoft’s Outlook.com service suffered a major breach earlier this year. The compromise allowed hackers to potentially access user email accounts, and that was the case for more than six months. This news was no shocker. Outlook has always been, and continues to be a perennial target.
Saying that email is a major service of the Internet is a bit like saying Donald Trump doesn’t like CNN. Email is foundational. In fact, it pre-dates the Internet by decades. (Lest we forget, the first email was sent in 1971).
It’s this familiarity and this reliance on email that has made it the target of choice for hackers, and with that a major liability for businesses and consumers alike. If you think social media networks and data mining organizations have juicy digital assets, consider for a moment the El Dorado of information transmitted daily via email, ranging from intimate correspondences to tax information, travel plans, financial transactions, photos, and shopping lists to real-time data on a user’s emotional state and how their important relationships are going.
Because email isn’t deleted from most servers by default, this target-rich digital information environment is often accessible to anyone with a login and password–something that is regularly served up to hackers by the billions.
The cybersecurity threat posed by email isn’t limited to sensitive data sitting passively on account servers. Email is the preferred tool hackers use to access their targets’ networks: 83% of organizations reported phishing attacks in 2018, up from 76% in 2017. Fully two thirds of malware is installed by clicking on an email attachment.
“Just Because” Isn’t a Good Answer
It’s not an original thought to say that email is problematic, or that a replacement of some sort would be welcome. Its obsolescence, if not demise, has been predicted repeatedly over the years. A murderers’ row of newer technologies like SharePoint, Slack, Skype, Messenger, and many, many others have seemed like contenders, but email still dominates in the realm of communication.
True story: The Internet was not made with security in mind. It was made to communicate fast. While the underlying structures seem naïve, none of it was designed for the general public. Domain names were initially intended as a means of identifying remote academic, military, and government locations. Their corresponding numerical (IP) addresses were limited to roughly 4 billion possible variations. That was more than enough for every single person on the planet at the time of its creation. That this structure didn’t anticipate the rise of Internet-enabled telephones, vacuum cleaners, nuclear reactors, or personal assistants is as much a part of the problem as the fact that they didn’t anticipate every small-time crook switching from convenience store stick-ups and smash and dash crimes to the much less risky practice of email phishing campaigns with the cornucopia of identity-related crimes made possible by them.
Email has none of the strings-attached vibe that the Mark Zuckerbergs of the world have attached to our information, no terms and conditions or privacy policies subject to change, and it doesn’t rely on any specific hardware or software to be able to access it as a service. Looking at its liabilities without understanding its appeal is one of the key factors that has made it a communication mainstay, seemingly against all odds and to the consternation of IT departments around the world.
In this way, email is an object lesson in the cybersecurity quagmire: We’re over-reliant on the idea of technology providing a silver bullet instead of changing our behavior. No Slack or Messenger or any other killer app is going to solve the email problem (although traffic may continue to migrate from email to other modes of communication). The only thing that will change the situation, Yogi Berra might have said, is to change the situation. Meanwhile, he did say this: “If the world were perfect, it wouldn’t be.”
This article originally appeared on Inc.com.
