Why email security is still an afterthought in many UK organisations — and why DACH (Germany, Austria, Switzerland) seems to be ahead
As I sit in the lounge at Munich Airport, waiting on yet another delayed flight, I thought I might put some of my thoughts, concerns, waffling wonderings, call them what you will, into an ever so slightly cohesive piece for you to read. I have spent the majority of my career in Cyber Security focused around email and data security in the UK and the EU, so my words do come with some experience attached. Email remains the single most-used communications channel in business and the single biggest vector for compromise. Yet in many UK organisations it’s treated like a nuisance rather than the crown jewel of data-security defence. Meanwhile Germany, Austria and Switzerland (DACH) show a stronger combination of policy, identity infrastructure and practical deployment (e-ID, qualified signing, national guidance and mail authentication) that makes their email ecosystems measurably more resilient. Below I have set out some of the facts to examine the cultural and structural reasons for the gap, and end with practical steps UK organisations and policy makers could take. Short, painful facts (recent and verifiable) (Those three reports — GOV.UK, NCSC, ENISA — form the backbone for what follows.) Where DACH is ahead: concrete patterns, not mysticism 1. National digital identity and e-ID coverage (Austria G Switzerland) 2. Focused national guidance and standards for email authentication (Germany) 3. Commercial and legal ecosystems that incentivise adoption So why is the UK comparatively behind on email security? There’s no single cause — it’s a mix of technical, commercial, legal and cultural reasons 1. Fragmented market G incentives UK businesses often prioritize productivity and convenience over the friction introduced by end-to-end email encryption or mandatory signing. There’s no widely adopted UK eID or signature ecosystem that makes strong email encryption as frictionless as, say, logging into a government portal with a national ID. That means uptake is voluntary and often low. (Contrast: Austria’s high eID penetration and Switzerland’s ǪES market.) 2. Focus on perimeter/cloud controls, not data-centric controls A lot of UK security investment goes into cloud email filtering, gateway DLP, and endpoint detection, all valuable, but those measures protect in transit and at the edges rather than ensuring end-to-end confidentiality or cryptographic provenance. If you treat email like “just another web service”, you miss identity and signing features that stop BEC (Business Email Compromise) […]
Just like Work from Home, this post won’t be for everyone but I’m ok with that.
Recently, I’ve been seeing a lot of posts and blogs about the ‘freedom’ that working from you gives you. I’m also seeing similar posts about ‘Remote Working’. These are two very different types of post. Work from Home works for me. I have been doing it for the most part of 25 years. I have […]
Permission Creep and the Over Privileged User – A Business Issue!
So, lets start at the beginning… What is Privilege creep? Simply put, it’s the gradual accumulation of access rights beyond what an individual needs to do his or her job. In general terms a privilege is an identified right that a particular end user has to a particular system resource, such as a file folder […]
It’s What’s Inside That Counts
Mitigating the Insider Threat The faster an IT landscape grows, the harder it becomes to keep track of users. The question this poses to IT managers and administrators is: is it even still possible to efficiently and transparently conduct a user management process that is not going to cause more work, more complication and slow […]