Email Security Protocols: How Businesses are Failing
In opinion / By Phil Muncaster / 31 May 2019
As the dust settles on another round of contentious European elections, there’s one little piece of polling that most of the pundits missed. It revealed that the majority of UK political parties are failing their members by not putting in place best practice email security protocols. The research is another depressing example of organisations that should know better, failing to arm themselves with tools which could have a genuine positive impact on cyber risk.
The bigger picture is more alarming still. Email continues to be the number one threat vector facing firms, with C-level executives especially vulnerable to social engineering. Tackling it will require a blend of technical controls, watertight policies and enhanced training programmes.
Issued just before the European elections at the end of May, an analysis from security vendor Red Sift revealed that only five of the 22 UK political parties taking part had implemented DMARC (Domain-based Message Authentication, Reporting and Conformance is a bit of a mouthful). But it’s widely regarded as best practice security to help mitigate the threat of phishing and other forms of spoofing. In fact, the government mandated its usage for departments all the way back in 2016.
However, it gets worse. Even those parties that had implemented DMARC only did so with “p=none” policies. This is the weakest form of DMARC: effectively a “monitor mode” which means recipients may still get phishing emails in their inbox. They should have switched on p=reject, which means suspicious emails are rejected outright. This is important as phishing is a popular tactic for hackers, which very often forms the first stage of a data breach or targeted attack. According to Verizon, it was present in 32% of breaches analysed over the past year.
However, phishing isn’t the only threat facing organisations via email. Trend Micro blocked over 48.3 billion online threats last year. Of these, a staggering 41.5bn (86%) were email borne threats. They included: crypto-currency mining malware, detections of which jumped 237% over the previous year to exceed one million; file-less threats, which surged a massive 819%; and ransomware, which decreased slightly in detections but remains a serious targeted threat.
Business Email Compromise (BEC) is also on the rise. Trend Micro recorded a 28% increase in attacks, while the FBI recently declared it the most costly cyber threat out there, accounting for nearly half ($1.2bn) of the $2.7bn total losses associated with reported attacks. The bad news is that it’s hard for organisations to detect, given that attacks typically don’t contain any malware. Instead, they use social engineering tactics (and sometimes spoofed domains) to trick recipients into believing the CEO or CFO has just requested a large transfer of corporate funds to a third-party account. Sometimes, the senior executive’s email account is hijacked first by the hacker, often via phishing, which makes it even harder to spot the scam.
Taking the C-suite to One Side
This highlights one of the weakest links in the corporate security chain: senior executives. According to Verizon, C-level execs are 12-times more likely to be the victim of a “social incident” and nine-times more likely to be targeted by a “social breach” than in previous years. These individuals are an attractive target because of their privileged account access, and their approval authority over money transfers and the like. Crucially, they often have little time to check whether emails are legitimate or not, making them prime candidates to fall victim to phishing scams.
According to one security service provider, which runs a “Management Hack” service to train the C-suite, red team testers were able to gain access to critical business data and logins in just 10 minutes, after targeting senior staff with phishing emails. Ensuring they get the right training is not just in the interests of the organisation: a serious security breach could ultimately force business leaders out of their job. Just ask former Equifax boss, Richard Smith.
How to Protect your Emails
There’s no silver bullet for email security, just as there’s no 100% guaranteed way to protect your endpoints, servers, networks or web apps. It’s all about layering up best practices to ensure that, if a threat sneaks past one filter, there will be several more ready and waiting. Training and awareness programmes are a key component: they must be extended to all employees including the C-suite and any assistants who might manage their emails on their behalf. Ensure lessons include real-world phishing and other attack simulations, run in small bite-sized chunks and featuring feedback to maximise the chance of changing behaviour.
Other best practices include strong DMARC, anti-phishing tools, and custom sandboxing capabilities to spot zero-day threats. New tools are also emerging in the market which use the power of AI to help spot BEC attacks by analysing the writing style and communication pattern of executives. Email encryption services can add further security by ensuring only the intended recipient can read them, while multi-factor authentication (MFA) is a must for secure login. Finally, enforce an acceptable usage policy to maintain security standards.
With GDPR regulators hovering, it’s never been more important to bolster your defences against the organisation’s number one threat vector.
If you are looking for some advice on how you can protect your personal information (including emails), contact us today. We can provide and tailor make solutions to help your business.