Email isn't secure but it's here to stay, says Websense information security officer

People dislike email but businesses are stuck with it, Neil Thacker tells Computing's Enterprise Security and Risk Management Summit

Email isn't a "secure method for communicating at all" but it's so engrained in the language of business that it's here to stay, and will carry on leaving holes for hackers and cyber criminals to exploit with phishing scams and other malicious attacks.

That's what Neil Thacker, information security and strategy officer EMEA for Websense, told the audience at Computing's Enterprise Security and Risk Management Summit 2014 today.

"With your security hat on, who dislikes email?," he asked attendees during his presentation, titled "Protecting against phishing and social engineering techniques". "Everybody. Email is a really, really basic protocol, it has lots of vulnerabilities and it isn't a secure method for communicating at all.

"We've known that for many, many years and have tried to fix it with things that haven't really been successful, that haven't been good enough to verify emails that are coming into an organisation, because there are ways around it.

"There are always ways around these things, so you can't really rely on email as a secure method of communication," he added.

Despite its security weaknesses, email remains the number one way of communicating in the corporate world, he said.

"Working in businesses we have to talk to people and communicate but the unfortunate thing is people use email, I use email. I don't like it, but I do like people, therefore I have to use email," said Thacker.

"Bad people use email, we dislike bad people, but unfortunately bad people with email are here to stay, so we have to look at our controls, our counter measures, to make sure email is a secure tool," he said.

Thacker said organisations and security firms are examining ways of making email more secure, but they're struggling.

"At the moment a threat model scenario is being built, looking at threat logging the internet and looking at protocols and emails being sent to you. But until that happens and you actually fix these kind of things, we're still struggling with how we'll protect email," he said.