JRB - Fotolia

This article is part of our Essential Guide: How to manage email security risks and threats

How to improve security against email attacks and for GDPR compliance

About 200 billion emails are sent every day, but because of its importance email is constantly exploited by attackers, and yet is often overlooked in cyber security strategies

This article can also be found in the Premium Editorial Download: Computer Weekly: Where will artificial intelligence take us?

It is not unusual for emails to be used for arranging payments or for submitting identifying documents. “Legal services seem to do 40% of their work on their mobile phone,” observes Colin Tankard, managing director of Digital Pathways.

The General Data Protection Regulation (GDPR), set to come into force in May 2018, is designed to protect European Union (EU) citizens’ data, and organisations that want to operate within the EU will be expected to comply with it.

Section 2 of the GDPR states that organisations must “protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data”.

The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.

This regulation of greater email protection arrives shortly after the WannaCry and Petya cyber attacks. Despite emails being used regularly, they remain vulnerable to attack, both as a target and as an attack vector.

Malicious emails are rife

Verizon’s 2017 Data breach investigations report noted that two-thirds of all malware was installed through malicious email attachments. Symantec’s July 2017 Intelligence report determined that the email malware rate has increased to one in every 359 emails. Phishing emails have also increased to one in every 1,968 emails.

Mimecast’s Email security risk assessment (Esra) noted recently that nearly 11 million of its 45 million scanned emails – about 25% – were “bad” or “likely bad”. 

Several malware families, such as Emotet and Trickbot, have recently added functionality that enables them to spread via email. Emotet, for example, now has the capability to steal email credentials from infected computers and use these to send out emails to spread itself further.

The dangers that organisations can expose themselves to through unsecured email accounts are often more than just compromised emails. Financial account information can be leaked, ransomware and viruses can infect networks, and reputational damage can occur from hacks being disclosed. This disclosure will become mandatory under the GDPR.

Develop an email security policy

Developing a security policy for email can be relatively simple, and a natural first step for bringing organisations into alignment with GDPR’s requirements. However, a company’s email security protocols are only as strong as the employees who use them.

“We have one client who has been told not to click on these things, but he just keeps doing it,” says Tankard. “What we end up doing is creating three duplicate machines, so that when one becomes trashed with a virus, it gets taken away and another one is given to him, while the first one is rebuilt. We need three, because sometimes he can trash the second one before we have rebuilt the first one.”

Read more about email security

The first, cheapest and easiest stage in maintaining any security system is to ensure that all operating systems and applications are correctly patched with the latest updates. Some organisations may be tempted to delay patching, due to possible downtime or the need to check compatibility with connected systems. But these delays can be costly, as hackers seek to identify known vulnerabilities and are quick to exploit them.

Anti-virus filtering should be used on all email traffic. Although this will not be a complete solution in itself, it will remove much of the “background noise” – the easy-to-spot threats – allowing security teams to focus on the more sophisticated attacks. Organisations should also consider using a secure anti-malware proxy or next-generation firewalls.

Some organisations may want to consider whitelisting or blacklisting filters for managing their email security. With whitelisting, only known, trusted email sources are allowed through; with blacklisting, all but the known, malicious email sources are blocked. Whitelisting offers more protection, but it will inevitably block some important emails, which can cause frustration for employees.

Some organisations have gone as far as to block all attachments, which is effective in preventing malicious attachments, but naturally has consequences. These can be mitigated by the email server informing the recipient that a file has been blocked. If they require that file, they may request that it be cleared by IT security. But although this method blocks malware, it does not prevent users from clicking on malicious links embedded within emails.

This whitelisting methodology can also be used with applications, whereby only trusted applications can be run. Blacklisting can used to block all known malicious applications from being run. There is also a third variant, greylisting, which prevents unknown applications being activated with administrator privileges, or for accessing data.

Dmarc deployment

Domain-based message authentication, reporting and conformance (Dmarc) can be used for email authentication to block emails with spoofed addresses, which is one of the main attack techniques. Email risk-scoring tools can also be used to identify suspect emails and quarantine them for later analysis.

Dmarc is normally deployed by large organisations and public-sector organisations, but small to medium-sized enterprises (SMEs) can enquire if it can be deployed by their internet or email provider.

Smaller organisations should consider passing all emails through an outsource supplier of email scanning services before they are delivered to the organisation’s email server.

Organisations should also consider network segmentation to isolate their email server from the rest of the network, thereby limiting access to sensitive areas of their network. Network segmentation should be deployed alongside regulated access controls and intrusion detection to further restrict access. The best solutions for intrusion detection rely on detecting the techniques used to exploit vulnerabilities.

Email filtering can be adopted through a network appliance before the email reaches the server. This technique allows any suspicious programs to be activated in a virtual sandbox environment, for the purpose of detecting any host or network activity, in order to detect malware.

Worst-case scenarios

Organisations should also consider worst-case scenarios and have regularly updated disaster protocols in place. These should detail what to do when, rather than if, malware infects the network.

“Rather than having a ‘jack-of-all-trades’ approach, where one application covers all aspects of security, organisations should look to use different security applications from various suppliers that overlap each other, providing additional layers of defence,” says Mimecast product manager Pete Banham.

But there is no such thing as 100% security. Organisations need to educate their employees in how to spot fraudulent emails and raise awareness of the dangers of malicious emails.

To engage the participants, this education should be easy to understand and should not rely on technical jargon. Staff should be positively encouraged to report suspicious emails and given feedback about any emails reported. Not only will this allow the security settings to be updated, but it will also educate staff further.

It is also vital to tailor the message to the particular audience. For example, telling an HR department not to open attachments from external addresses will not work, because they deal with people who are applying for jobs.

Following recent incidents of leaked emails, many organisations are now encrypting emails, installing encryption protocols as add-ons to existing email apps.

Not only do these systems rely on end-to-end encryption to secure their content, but some also ensure compliance with the GDPR. “There are hundreds of email security or encryption services, but we have found customers need verifiability, which is in high demand because of GDPR,” says Kurt Kammerer, CEO of Regify.

Sending receipts

Although email settings allow requested read receipts to be ignored by the recipients, there are secure email applications that enforce the sending of these receipts. When an email is sent, the sender will receive an email saying when it has been delivered to the email server. A subsequent email will then notify the sender when their email has been opened.  If the email has not been opened within three days, a third email is delivered to the sender, informing them it has not been opened.

“This is a sender’s beast,” says Tankard, “which is why it is great for compliance with GDPR.”

The drawback of this application is that it increases email traffic. However, it does provide organisations with a clear auditable trail of emails being sent, received and read by the intended recipients. This email auditing is required to comply with GDPR, because it proves that not only has an email been sent, but that it has been received and read.

“Up until a year or so ago, people were not that interested in secure email, but this year has seen rapid growth in it,” says Tankard. “It has grown by 10 times this year compared with recent years.”

But although encryption protects the contents of emails being leaked, it does not block malicious content or attachments.

A multi-layered series of email security protocols will go a long way to ensuring compliance with GDPR, but only a properly educated and positively encouraged workforce will reliably protect an organisation from attacks via email.

“If you have these wonderful security levels but nobody follows them, then you are open,” says Kammerer. “You need to bring both together.”

Read more on Hackers and cybercrime prevention