Today, the most prevalent delivery system for social engineering is without parallel email and there are a number of attacks that start with social engineering. The cyber security industry believes that up to 90% of all malware infections in one way or other start with e-mail. For example, ransomware, which has been the biggest cyber threat to enterprises in recent years, is most often propagated when a user is tricked into clicking a link or opening a word file with a macro malware simply because it is attached in a mail that looks legitimate or mimics something the user already trusts as being secure. There is no doubt therefore that organization need to pay extra attention to email security.
Successfully addressing email security requires a two-pronged approach- educating employees and end-users, and at the same time implement the right technical controls so that the exposure of users is minimized.
Inculcating a culture of security is essential to any modern organisation and a company-wide security awareness initiative helps foster this. To be effective, the program needs to be holistic and ongoing. With regard to email security, employees need to be given a solid understanding of evolving threats and a comprehensive briefing on company security policies, procedures and best practices.
A well implemented program must cover security policy, data classification and handling, wireless networks, password security, phishing, hoaxes, malware, file sharing and copyright. Particularly effective would be to include a regular series of spoof phishing emails, sent to employees only and designed to teach staff to be alert to similar external phishing attempts.
The Technical Aspects
I believe IT teams should do their very best to ensure that users have minimal threat exposure- this means good mail security solutions, URL filtering and ensuring that the most common threats do not come through in the first place. It puzzles me when organizations allow unsolicited emails with office attachments to get to the end user without first removing harmful elements such as macros and scripts.
Of course, sometimes defining what should and shouldn’t be filtered can pose a challenge. Consider spam email- it has been around for so long, and will probably never go away. One of the issues with spam is that we may not all have the same definition. Some may want to receive the weekly offer from the 2-for-1 web service while others consider it highly annoying. This creates a technical challenge around how we identify spam efficiently. With attackers becoming ever more creative and effective in disguising their attacks, this is a real challenge from the technical perspective.
Many organizations also fail to realize that it isn’t only spam and email-based malware that they need to protect against. There are other threats such as impostor email, which are low volume, hard-to-detect threats that have cost businesses more than $2.3 billion and yet cannot be detected by solutions that only look for malware. Email solutions which incorporate reputation assessment and classification are needed to combat this.
Another factor that plays a key role in combating threats that find their way through email is encryption. The use of encryption offers more control and protection around the sensitive data that is being transmitted. Email encryption is not a new topic and has been around for many years, but during the initial days, it was a strenuous task to implement and manage the solution, in that it was difficult for users to perform encryption-decryption and also the key management was quite challenging. Today, it has become an inherent part of security strategies and the large majority of enterprises have encryption in place in one form or the other. It doesn’t really matter if one is using web-based encryption services, on-premises at the gateway or on the endpoints- there simply is no way without encryption.
The Importance of Analytics
Email security solutions operate in unison with many other elements of enterprise security. Organizations must take advantage of this to increase their effectiveness by feeding events they raise into the data analytics solution which would capture critical information from the email security solution; feed it into security controls; and leverage the learning from shortcomings to mitigate future threats.
The unfortunate truth is that we’re unlikely to ever see email communication become 100% secure, but the closer organizations get to that goal, the less likely it is that that’ll be attacked. Ultimately, cyber criminals too have resource constraints and are most likely to go after the lowest hanging fruit. By ensuring that you’re a step ahead of the others, you can dramatically reduce the chances of falling victim to email threats.
Nicolai Solling, CTO at Help AG