Maksim Kabakou - Fotolia

Security Think Tank: Scan, educate and back up to block email threats

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

Given that some two-thirds of malware gets installed on a PC from an email attachment, according to Verizon’s 2017 Data Breach Investigations Report, what strategies are available to organisations to block this route of infection?

One strategy we have come across in a couple of our clients is quite simply to block all attachments. It works, but obviously has significant consequences for the organisation.

A second strategy is to pass all emails through an outsource supplier of email scanning services prior to emails being delivered to your organisation’s email servers.

Generally, the organisation is given access to a dashboard where they can modify the policies applied to email scanning (such as blocking certain file types and Microsoft Office documents with macros), and individual users can be given access to their own quarantine area where they can view emails that violate the set policy and decide whether to delete or block in the future or release.

The danger here is that someone could release an email that has some evil intent (it might not be an attachment but a link to a website that hosts the malware).

The third option is to have on-site email scanning. This works in a similar way to the second option except the scanning tools would be onsite. This might be a reasonable option for large organisations that are prepared to invest in running such a service, but generally this type of service is still outsourced by the very large organisations.

Even with good email scanning in place, there cannot be a 100% guarantee that all emails with malicious intent will be blocked. This is where good staff education in handling emails comes into play. The staff are that final bastion. It goes without saying that such education cannot be a one-off delivered when a new person joins the organisation.

There has to be ongoing education, be it regular poster campaigns, pop-ups when people log on to the network, or an information desk that gets set up regularly in the lunch room or entrance lobby.

And when all else fails, the organisation needs good, well-practised and tested incident response plans and access to a full set of system backups (typically taken daily) that are regularly tested for viability. 

Read more on Hackers and cybercrime prevention