- stock.ado

How IT pros are building resilience against email security threats

For most people, emails are an easy and harmless way to communicate in the workplace, but they could also be a security disaster waiting to happen

This article can also be found in the Premium Editorial Download: Computer Weekly: Who will win the world’s biggest cloud contract?

Over the past few decades, emails have played an integral role in daily business communication. Whether it is communicating with co-workers and customers, sending marketing campaigns, scheduling meetings or receiving newsletters, they are a useful tool for everyone.

Research from Radicati Group shows that the number of emails sent and received each day will surpass 293 billion by the end of 2019, before reaching 347 billion in 2023. And according to a survey by HubSpot, 86% of professionals say email is their preferred way to communicate for business purposes.

But while the trusty email will no doubt continue to be commonplace in the business world, it has become a core target for hackers. Security threats such as malware, spam, phishing, social engineering and unauthorised access are causing major concern for organisations and IT leaders.

In research compiled by Barracuda Networks, 94% of organisations admitted that email is the most vulnerable part of their enterprise security strategies and 87% of CIOs expect to see an increase in email security threats over the next 12 months. Business email compromises are particularly damaging, with the US Internet Crime Complaint Center reporting $1.3bn of losses, further underlining the importance for organisations of building resilience against email-borne attacks.

For cyber criminals, email is often an easy way to infiltrate organisations, launch devastating attacks and gain hold of sensitive business information. Paul Rose, chief information security officer at managed service provider Six Degrees, says hackers are increasingly turning to it as their preferred attack vector.

“Not only are email-based cyber attacks often highly successful, but they can also be deceptively simple,” he says. “Targeted attacks against either an entire company – commonly known as phishing – or key persons within that company – spear phishing – can result in significant data breaches or loss of systems and services, whether they utilise malware payloads, social engineering or both.”

Rose argues that reducing the risk of a successful attack should include both technology and human considerations. “Effective technology-based security controls such as secure email gateways, attachment scanning and antivirus software are all well and good,” he says.

“However, these need to be supported by appropriate people and process controls, including frequent employee training and awareness. As cyber criminals use ever more sophisticated techniques to catch us out, the frequency of activities designed to raise awareness of these techniques needs to increase in response.”

“Continual training and ‘real world’ testing is essential if the threat from email attacks is to be mitigated”
Paul Rose, Six Degrees

But Rose says awareness should not end at simple PowerPoint presentations and e-learning courses with exams at the end. “Today’s enterprises should be exploring the use of internal resources or third parties to carry out phishing simulations across sections of their company,” he says. “Continual training and ‘real world’ testing is essential if the threat from email attacks is to be mitigated in the short, medium and long term.”

Chris Ross, senior vice-president at Barracuda Networks, says emails are the weakest security link. “A not insignificant 32% identified customer support as their most attacked department in what could indicate a new emerging trend for would-be attackers,” he says. “Brand impersonation also makes up the majority (80%) of email attacks, according to our research earlier this year.

“Without proper employee training, these attacks will continue to succeed. However, training is still hugely lacking across most enterprises we spoke to, with ‘once a year’ being the most popular response (29%) in terms of how often it is being given. Shockingly, an additional 7% said they either never had training or were not sure.”

Growing threats

As the connected ecosystem continues to expand and people become more reliant on their devices, email threats are likely to grow. Ashley Hurst, international head of tech, media and comms at law firm Osborne Clarke, says there are ever-more convincing phishing attacks in particular.

“Gone are the days of loads of spelling mistakes and obviously fake email addresses,” he says. “As people spend more and more time on their mobiles, the fakes can be difficult to spot, despite much more prevalent phishing attack training.”

But for Hurst, perhaps even more alarming is what the attackers do once they get a hold of someone’s username and password. “We have seen numerous cyber attacks where a single compromised username and password has been used to get into a computer system that has not been updated to use two-factor authentication,” he says.

“Once in, the attackers set up email forwarding rules and then review emails, waiting for the opportune moment to change the details on a payment request to divert funds. It can be weeks before the company notices.”

Hurst’s view is that the answer to these threats is only partly educational. “Companies must continue to refresh cyber security training regularly, particularly around email threats,” he says. “But most important is to ensure that the correct settings are applied to software and that software is updated regularly.

“Small and medium-sized companies with tight IT budgets are particularly at risk and more senior and high-profile individuals tend to be easier targets, particularly if they are vocal about their activities on social media. Every medium to large company needs to have a plan to deal with incidents quickly, even if it is simply knowing which experts to call.

“It is astonishing how many substantial companies still don’t have effective incident response plans in place, despite all the news about cyber attacks.”

Increasing sophistication

Although education and training can significantly reduce email breaches, the problem is that hackers are constantly finding more sophisticated techniques to target victims. Lewis Henderson, vice-president of threat intelligence at Glasswall Solutions, believes attackers are using techniques that users simply cannot spot.

“Our threat intelligence data is informing us that evasive threats have no malicious payload, and now dominate the top risks so far this year,” he says. “We find that most attacks are unique events that are beyond human abilities to detect and prevent, CISOs are forced into a weaker reactive position while attempting to contain malicious needles in a haystack. It is a challenging scenario to win.

“Example scenario: a supply chain partner is compromised, the malicious actor uses a DDE [dynamic data exchange] or Power Query technique within Microsoft Excel, evades every defence, and an unsuspecting user sees nothing suspicious while the breach is occurring. These are the types of threat where training on its own simply can’t help.”

Instead of being lost in the noise, Henderson says technology needs to be an enabler for CIOs and CISOs to have a dialogue with the business about file-based threats. “Threat intelligence strengthens their position to push for a change of policy and culture, and this should also influence their decision on which technology can disarm malicious files and attachments of their associated risks,” he says.

Read more about email security

Neil Thacker, chief information security officer of cloud security firm Netskope, agrees that email threats are growing in sophistication and that organisations need to take a more robust approach to mitigate them. He says effective mitigation needs to come from a comprehensive strategy that covers both education and email and web protection.  

“For many years, CISOs have been advising employees not to click on suspicious links,” he says. “While phishing simulation exercises do generate awareness, the simulation exercises are not considered a strategic control that has radically changed behaviour and therefore reduced the threats.”

Thacker says phishing for credentials or manipulation of employees are the key objectives for attackers. “However, the attackers have had to mature their processes to ensure they remain covert,” he adds. “One example is sending an email with a link followed by activating the malicious payload once the email has been delivered.

“This time-based attack is a common bypass technique that allows for the attack to remain undetected by email security controls. The control in this scenario is therefore better placed at the web inspection layer that inspects links at the point-in-time when the link is clicked on.”

Attackers are also exploiting trusted sites and popular cloud applications to host malicious payloads typically trusted by employees, says Thacker. “An email with a link from these locations is typically both trusted by the email security control and therefore also the employee,” he says.

“New techniques therefore require a more focused and pervasive approach. Using real email and web security metrics showcasing particularly poor responses to these attacks at department level can be used to educate employees. Running a catch-of-the-day programme, where employees are incentivised to report suspicious emails, is also a good step to help promote and raise awareness on good email security.”

Taking action

Steven Furnell, senior IEEE member and professor of information security at Plymouth University, says one of the biggest challenges at present is business email compromise. “This is when an attacker impersonates a senior executive and attempts to fool an employee or other recipient into sending funds or sensitive information, with the legitimate email account having previously been compromised via social engineering or direct intrusion,” he says. 

To mitigate such threats, Furnell says organisations need to improve awareness among their employees. “The issue of employee education is key in tackling the threat, because it requires message recipients to be aware enough to stop and think about what they are being asked to do, and to double-check that requests are valid, particularly where sensitive data or high-value transactions are involved,” he says.

Furnell recommends that employees ask themselves whether an email request seems legitimate and usual; what the value is of the information they are being asked to provide or the task that they are being asked to perform; whether they are confident that the source of the request is genuine; and whether they have to respond right away. 

“Without sufficient recovery tools, the outage of the attack will cause loss of data and money, as well as reputational harm and downtime for customers”
Avi Raichel, Zerto

Another increasing threat is ransomware, which is often distributed via email. Avi Raichel, CIO at resilience platform provider Zerto, says: “Attackers can often worm their way in through employee emails, so having the right cyber defences is key in avoiding a catastrophic situation where customer data, and a whole lot of money, could be at stake. 

“Having an extensive tiered security model as well as appropriate role-based access control can help minimise risk. But the attack itself is only half the problem. Without sufficient recovery tools, the outage of the attack will cause loss of data and money, as well as reputational harm and downtime for customers.”

Raichel says businesses need to implement tools that enable them to roll back all their systems to a point in time just before an attack. “It works like this: you see the ransomware email, and shut down any impacted computers, servers, and so on,” he says. 

“You then use a recovery tool to simply roll all of the systems back in time, which takes minutes rather than days, to a point before the company was infected with ransomware. This level of disaster recovery is critical. Emails continue to be at the centre of businesses, they are vulnerable and, inevitably, a standing target for ever-sophisticated cyber criminals.”

Emails are a communication standard for most of us in the workplace, but the reality is, security threats often go amiss. A big part of changing this is educating employees about the risks and how they can be mitigated, but organisations also need to ensure they have the systems in place to identify and respond to these ever-growing attacks.

Read more on IT risk management

Data Center
Data Management