Bringing Email Security into the Mainstream: A Call to Action for Companies

In today’s digital landscape, email security is more important than ever before. With an estimated 250 million emails sent and received globally every single minute, email is one of the most accepted communication channels. It is also one of the easiest to use, both for companies and their customers. As cyber threats continue to evolve, businesses must adapt to protect themselves. In Germany alone, cybercrime cost 206 billion Euros in 2023, with phishing attacks comprising 31% of attacks.

Despite its importance, email security is often not given the attention it deserves within companies, especially smaller ones. A key step towards changing this is mainstreaming the topic and making it part of everyday corporate culture. This can be achieved through targeted initiatives, such as eco’s new Initiative for Secure Email, awareness training, and the implementation of well-established security technologies.

Why email security must be prioritized

The prevalence of email-based attacks, such as phishing, makes it clear that businesses need to improve their defenses. The latest German Federal Office for Information Security (BSI) report on “The State of IT Security in Germany” highlights that they have become harder to detect. In a panel discussion at the Internet Security Days in September 2024, Florian Bierhoff of the BSI pointed out, “Phishing emails are now carefully crafted, using publicly available information to send deceptive and almost indistinguishable emails.” With attackers crafting increasingly convincing emails, the stakes are higher than ever, with new threats like AI-generated emails on the horizon.

Claudia Plattner, President of the BSI, said in her keynote speech at the Internet Security Days, “Cybersecurity must be approached as a national responsibility that involves every stakeholder, from policymakers to private citizens.(…) The success of this effort depends on collaboration between government, businesses, and tech providers. Together, we can safeguard not just our email systems, but also the critical infrastructure and sensitive data that underpin modern society.” In her article Enhancing Email Security: A Collective Responsibility in this issue of dotmagazine, she points out that – while outdated email systems continue to expose vulnerabilities – the tools to strengthen our digital communications are already there and need to be implemented across the board.

It is not just state institutions and municipalities that are being increasingly targeted by cybercriminals. Email security is no longer just for large companies, but is increasingly critical for small and medium-sized enterprises (SMEs) without the resources or knowledge to recognize and protect against such attacks.

Charline Kappes from Sosafe GmbH echoed this sentiment in the September panel discussion, pointing out how easy it is for attackers to gather information and craft personalized phishing emails. She explained, “It’s incredibly easy to find someone’s email address using publicly available information, making it an accessible entry point for attackers.” This highlights the pressing need for companies to heighten their awareness and protective measures.

Empowering organizations with technical solutions

To enhance email security, several key technologies must be implemented. Sender authentication is crucial, with protocols like Sender Policy Framework (SPF) allowing domain owners to specify which servers can send emails on their behalf, helping recipients verify the email’s origin. DomainKeys Identified Mail (DKIM) enables email servers to sign messages with a unique key, ensuring they remain unchanged and genuinely from the stated sender. When combined with Domain-based Message Authentication, Reporting & Conformance (DMARC), these protocols provide clear handling instructions for unauthenticated emails.

Another vital technology is DNS-based Authentication of Named Entities (DANE), which encrypts communication between email servers, safeguarding messages from interception. TLS/SSL certificates establish encrypted links for data transfer, while S/MIME certificates secure email content by encrypting it and providing a digital signature to verify the sender's identity.

Most of these protocols have been around for over a decade. As Jochen Schönweiß from Nameshield GmbH put it, “It’s hardly rocket science. These technologies have been around for many years, but their implementation remains alarmingly low, even though they should have been the standard long ago.” As he shares in his article on DMARC and BIMI in this issue, a 2024 Nameshield study focusing on the 100 largest e-commerce companies in Germany revealed that 45% of companies do not have a sufficiently strict DMARC implementation. Particularly concerning is that 23% of companies do not receive reports on potential attacks. This means they cannot even perceive potential threats.

While large corporations often have the resources and expertise to implement robust cybersecurity, Schönweiß points out that smaller businesses are more vulnerable. “Many SMEs lack the resources for comprehensive IT security, making them easy targets for phishing attacks.” This disparity calls for targeted support and awareness campaigns tailored to SMEs, particularly in markets like Germany, where SMEs dominate the economy.

Building awareness: A collaborative effort

At the panel discussion at the Internet Security Days in September 2024, André Görmer from Mapp Digital Germany GmbH stressed that companies need to show measurable results when implementing email security protocols and standards. He stated, “The real challenge lies in turning guidelines into action within organizations. It’s not just about reading security policies; it’s about implementation and delivering tangible security improvements.”

Charline Kappes highlighted the human factor in email security, underlining the importance of training employees to identify phishing emails. “It’s unrealistic to expect that no employee will ever receive a harmful email, but it’s crucial to teach them how to recognize and report suspicious emails.” She called for the active involvement of management to create a culture of security awareness. While technology can help, the human element is critical in maintaining security. Kappes emphasized involving company leadership to set an example, stating, “Leaders need to integrate email security into the workday and be role models who live these security measures.”

To make email security mainstream in companies, it’s essential to engage key stakeholders, including management, IT teams, and employees. Bierhoff also mentioned the importance of involving leadership in promoting secure email practices. One of the next steps for the BSI is creating informational materials specifically for management. “The Technical Guidelines are well-received by IT departments, but we need more support from top management to push these measures forward.” By gaining the support of decision-makers, businesses can ensure that security measures are implemented effectively and consistently across the organization.

The initiative for secure emails

To further strengthen email security in German businesses, eco – Association of the Internet Industry recently launched the Initiative for Secure Emails in collaboration with the German Federal Office for Information Security (BSI). This initiative aims to support companies in implementing best practices for email security by offering educational resources, workshops, and expert guidance. By creating awareness and providing practical solutions, it encourages companies to adopt secure email protocols and protect their communication channels.

Moreover, the Email Competence Group at eco – Association of the Internet Industry provides a platform for professionals in the email security field to share their knowledge and collaborate on developing industry standards. As André Görmer from Mapp Digital Germany GmbH and Leader of the Email Competence Group stated, “We’ve been working closely with the BSI to establish guidelines and ensure that what is developed at the association level is applied at the federal level.”

Email security is business-critical

Email security is not just a technical issue; it’s a business-critical necessity. By prioritizing the topic in companies and involving all levels of the organization, businesses can protect themselves from evolving threats. The Initiative for Secure Emails, in cooperation with the BSI, offers a valuable opportunity for professionals to contribute to shaping a safer email ecosystem.

We encourage those working in the field of email security in Germany to join the Email Competence Group and the Initiative for Secure Emails to help drive this vital mission forward. These platforms offer a wealth of resources, from expert talks to hands-on workshops, designed to help businesses of all sizes enhance their email security.

Whether you are an email provider, a technical expert, or a decision-maker in your organization, your participation can help shape the future of email security in Germany. Together, we can develop a robust framework that not only protects businesses but also builds trust in email communications.

Michael Weirich, Project Manager in the Cybersecurity division at eco – Association of the Internet Industry, joined the association in 2012 as a Security Analyst. From 2013, Michael took over the role of project manager for the technical deliverables within the ACDC project and subsequently the project management for the nrw.uniTS network at eco, focusing on the liaison between the industry and the other involved stakeholders, such as those from the academic and political areas. In addition, he mentored SIWECOS, a service that helps small and medium-sized enterprises to identify and fix security vulnerabilities on their websites. As a project manager, he manages the eco Association's Anti-Ransomware initiative and the Initiative for Secure Emails, among others, and is the contact person for the Email and Anti-Abuse Competence Groups.