The Limits of Secure Email for PE and VC Firms

As concerns about personal data privacy and large-scale corporate phishing attacks have grown, so too has the use of “secure email,” which offers various levels of encryption in order to protect sensitive data and personally identifiable information (PII). An estimated 350 billion emails are sent every day, of which, about 1% are actively malicious (source).

Theoretically, secure email tools offer increased security and privacy, while reducing spam. Many PE and VC firms have discovered the security limits of secure email providers once put in practice. In our experience, secure email providers are often overvalued from a security perspective, difficult to deploy, and vulnerable in several key areas.

Here are some key security limitations of secure email providers:

• Metadata Exposure: Even with end-to-end encryption, metadata such as sender and recipient information, timestamps, and email subject lines are often not encrypted, potentially exposing patterns and associations.
• Server-Side Vulnerabilities: If the email provider's servers are compromised, encrypted email contents could be accessed or tampered with, especially if encryption keys are stored on the server.
• User Device Security: Emails are only as secure as the devices accessing them. If a user's device is compromised (e.g., through malware), encrypted emails can be accessed and decrypted.
• Account Takeover: Secure email remains vulnerable to account takeover attacks, where patient hackers wait silently until acting on a transaction event. The email address might be considered ‘verified’ but the identity is not.
• Phishing Attacks: Secure email providers cannot fully protect users from phishing attacks. Users can still be tricked into revealing sensitive information or downloading malicious content.
• Key Management: If encryption keys are lost, users might lose access to their emails permanently.
• Trust in Provider: Users must trust the email provider not to include backdoors or cooperate with government surveillance. Any misuse of this trust can compromise the perceived security.
• Complexity and Usability: Secure email systems require complex key management and because of this, secure email is very difficult to deploy and maintain.

While secure email providers offer enhanced protection, they are not immune to security threat and require users to remain vigilant. Why does this matter specifically for PE and VC firms? A recent study by Gartner indicated that PE and VC firms are in fact 300 times more likely to be a target for cyberattack. And various tactics employing the use of email - secured or not - are the most common method of attack.

PE and VC firms, in particular, are unique among the financial sector because they're often required to transfer large sums with relatively short notice, leaving little time for proper security diligence and sharing sensitive info via email and insecure docs with outside parties. From an outside perspective, it’s easy to see how an ideal, secure process breaks down. For those on the inside, they see it firsthand on a regular basis.

A better solution? Remove email from the funds transfer process entirely. It’s why we created 6lock as an invite-only payments platform designed specifically to help PE and VC networks send, receive and track their money.