Email security remains a top priority in 2019 as organizations continue to face the threat of costly email compromise. The email attack surface is also expanding. Despite growing use of cloud-based collaboration tools and SMS for business, email remains the most common method for exchanging corporate information, with 74 percent of survey respondents choosing email as their preferred method of communication, according to a SendGrind study.

So it’s no surprise that phishing and spam still take the top spot for overall malware delivery. As Business 2 Community noted, 92 percent of malware is delivered via email. As a result, layered email security remains the best way to protect critical assets and reduce the risk of compromise — but this isn’t a static solution. Evolving attack methods and changing email use cases demand dynamic, multi-level defenses capable of identifying threats as they arrive, eliminating them in real time and remediating any damage they cause.

Here’s what you need to know about layering up security to limit email risk as we move into the new year.

What Is Layered Email Security?

Layers limit risk. This is the case for both email security and physical asset protection, as the more layers there are, the harder attackers have to work. Consider an office building. While break-in alarms can alert an organization if windows are smashed or doors are kicked down, they’re also necessarily reactive. But if you add in security cameras, motion sensors, two-way communications and secure areas with separate locking systems, burglars won’t get far.

Similarly, security best practices such as two-factor authentication (2FA) and location-based user identification can help limit the risk of compromise, but these single layers — no matter how deep or wide — offer finite protection. Layered approaches, meanwhile, frustrate malicious actors in different ways at every step of the security process.

Phishing Attacks: New Methods, Classic Pitfalls

While 2017 saw a sharp decline in the overall number of phishing attacks, this trend was short-lived. As HackRead noted, phishing attacks were up 250 percent through 2018, and while some of these shiny hooks included brand-new attack methods, Help Net Security reported that golden oldies like brand impersonation are also making a comeback.

Some of the most popular phishing attack types this year have included:

  • Fake attachments: If it looks too good to be true, don’t click it. From fake invoices to video files and special offers, attackers often use fake attachments to bypass security measures.
  • Credential hooks: Seemingly legitimate credential concerns are often used in business email compromise (BEC) attempts. Users believe their corporate or personal accounts have been hijacked and enter login data at attacker-created links, exposing their credentials.
  • Office impostors: Threat actors have gotten better at writing convincing emails that sound like they’re coming from the CEO, CFO or direct office supervisors. With social engineering now underpinning 97 percent of all malware attacks, according to Business 2 Community, office impostors are increasingly problematic.
  • Domain spoofing: If links appear to be from legitimate domains, recipients are more likely to click through. Attackers are now lifting webpage graphics, text and fonts so fake links look more like the real thing.
  • Brand impersonation: Microsoft, Google, Amazon — Attackers recognize the trust placed in many popular brands by business users, and so they’ve gone back to basics with effective impersonations that often elude suspicion.
  • Outside-the-box efforts: As ZDNet noted, cybercriminals are also thinking outside the box with threat vectors such as server-parsed HTML (SHTML), file attachments that automatically direct users to websites requesting financial information.

With the phishing pool digging deeper and leveraging surface-level techniques, layered email security is critical. Let’s dive into the effects of six different layers on overall infosec efforts.

Layer 0: Eliminate Spam

If you’re not sure how to secure email, start with spam.

In 2019, more than 4.7 billion phishing emails were sent every day to businesses and individuals around the world. Effective spam tools are a requirement to catch the most obvious examples before they can infiltrate local devices and potentially compromise credentials. Here, organizations need advanced detection solutions that do more than white-list common addresses. With spoofing on the rise, it’s a good idea to use multiple tools connected by a unified management framework to reduce the chances of spam getting through.

Layer 1: Seeing Is Deceiving

It’s not enough to look for an email threat as it approaches your server stack — the sheer volume and variety of phishing attempts demand threat intelligence tools capable of tracking common attack vectors, collecting relevant data and analyzing key spam behavior. This provides the foundation for layered protection that looks, listens and learns to improve overall defense.

Layer 2: The Inside Job

Internal configuration is a key component of layered email security. While many business mail servers and email solutions offer anti-spam and anti-malware detection, the increasing use of cloud-based services across multiple vendors means that misconfigured detection or reporting services could allow attacks to slip through unnoticed. Regular assessments of internal email services for potential security flaws form the second layer of our stack — when in doubt, bring in trusted cybersecurity partners to check for potential weaknesses you may have overlooked.

Layer 3: End-User Access Points

Mobile devices, laptops, tablets and even wearable devices are now connected to secure corporate networks. Add in the growing number of internet of things (IoT) devices, which are often protected by the same login/password combinations that govern business accounts or left completely unsecured behind business firewalls, and it becomes clear that deploying email solutions that target end-user devices is critical.

With 63 percent of IT professionals now reporting that their overall infosec posture is stronger in 2019 than in 2018, end-user devices can still create a considerable opening for attackers, according to Dark Reading. If an organization is too confident in its new cloud security services, security information and event management (SIEM) tools and artificial intelligence (AI)-driven malware analysis, it can be easy to overlook the simplest phishing strategy: compromising a single device for large-scale network access.

Layer 4: The More You Know

Phishing attacks target the weakest link in email security, the user. Seemingly legit emails and urgent requests often convince staff to click on links and download attachments, which can put critical assets at risk. Regular training can account for layer four of our total security solution. Training should include refresher courses as well as occasional phishing attack drills to ensure that staff members are opting for safety over speed.

Layer 5: Social Imperative

Email is a social network. Accordingly, it comes with social imperatives. Users tend to have a sense of entitlement around reliable email services, feel compelled to respond to urgent requests, and believe they’re better than they are at spotting big phish. That’s why we’re closing out our list with recognition of this social imperative and the importance of using targeted techniques to reduce overall risk.

Start with education around how not to draft emails — no urgent subject lines or must-do-right-now demands. Users must be given the time and space to review and report emails they deem suspicious. Security, not speed, must dominate corporate culture. Finally, new AI-driven tools can help nudge users in the right direction if they’re not sure about the legitimacy of new inbox arrivals.

Don’t get caught by phishing emails this year. Stay safe through 2020 by layering up on effective protection across your corporate controls, connections and culture.

More from Risk Management

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…