November 26, 2019 By Douglas Bonderud 5 min read

Email security remains a top priority in 2019 as organizations continue to face the threat of costly email compromise. The email attack surface is also expanding. Despite growing use of cloud-based collaboration tools and SMS for business, email remains the most common method for exchanging corporate information, with 74 percent of survey respondents choosing email as their preferred method of communication, according to a SendGrind study.

So it’s no surprise that phishing and spam still take the top spot for overall malware delivery. As Business 2 Community noted, 92 percent of malware is delivered via email. As a result, layered email security remains the best way to protect critical assets and reduce the risk of compromise — but this isn’t a static solution. Evolving attack methods and changing email use cases demand dynamic, multi-level defenses capable of identifying threats as they arrive, eliminating them in real time and remediating any damage they cause.

Here’s what you need to know about layering up security to limit email risk as we move into the new year.

What Is Layered Email Security?

Layers limit risk. This is the case for both email security and physical asset protection, as the more layers there are, the harder attackers have to work. Consider an office building. While break-in alarms can alert an organization if windows are smashed or doors are kicked down, they’re also necessarily reactive. But if you add in security cameras, motion sensors, two-way communications and secure areas with separate locking systems, burglars won’t get far.

Similarly, security best practices such as two-factor authentication (2FA) and location-based user identification can help limit the risk of compromise, but these single layers — no matter how deep or wide — offer finite protection. Layered approaches, meanwhile, frustrate malicious actors in different ways at every step of the security process.

Phishing Attacks: New Methods, Classic Pitfalls

While 2017 saw a sharp decline in the overall number of phishing attacks, this trend was short-lived. As HackRead noted, phishing attacks were up 250 percent through 2018, and while some of these shiny hooks included brand-new attack methods, Help Net Security reported that golden oldies like brand impersonation are also making a comeback.

Some of the most popular phishing attack types this year have included:

  • Fake attachments: If it looks too good to be true, don’t click it. From fake invoices to video files and special offers, attackers often use fake attachments to bypass security measures.
  • Credential hooks: Seemingly legitimate credential concerns are often used in business email compromise (BEC) attempts. Users believe their corporate or personal accounts have been hijacked and enter login data at attacker-created links, exposing their credentials.
  • Office impostors: Threat actors have gotten better at writing convincing emails that sound like they’re coming from the CEO, CFO or direct office supervisors. With social engineering now underpinning 97 percent of all malware attacks, according to Business 2 Community, office impostors are increasingly problematic.
  • Domain spoofing: If links appear to be from legitimate domains, recipients are more likely to click through. Attackers are now lifting webpage graphics, text and fonts so fake links look more like the real thing.
  • Brand impersonation: Microsoft, Google, Amazon — Attackers recognize the trust placed in many popular brands by business users, and so they’ve gone back to basics with effective impersonations that often elude suspicion.
  • Outside-the-box efforts: As ZDNet noted, cybercriminals are also thinking outside the box with threat vectors such as server-parsed HTML (SHTML), file attachments that automatically direct users to websites requesting financial information.

With the phishing pool digging deeper and leveraging surface-level techniques, layered email security is critical. Let’s dive into the effects of six different layers on overall infosec efforts.

Layer 0: Eliminate Spam

If you’re not sure how to secure email, start with spam.

In 2019, more than 4.7 billion phishing emails were sent every day to businesses and individuals around the world. Effective spam tools are a requirement to catch the most obvious examples before they can infiltrate local devices and potentially compromise credentials. Here, organizations need advanced detection solutions that do more than white-list common addresses. With spoofing on the rise, it’s a good idea to use multiple tools connected by a unified management framework to reduce the chances of spam getting through.

Layer 1: Seeing Is Deceiving

It’s not enough to look for an email threat as it approaches your server stack — the sheer volume and variety of phishing attempts demand threat intelligence tools capable of tracking common attack vectors, collecting relevant data and analyzing key spam behavior. This provides the foundation for layered protection that looks, listens and learns to improve overall defense.

Layer 2: The Inside Job

Internal configuration is a key component of layered email security. While many business mail servers and email solutions offer anti-spam and anti-malware detection, the increasing use of cloud-based services across multiple vendors means that misconfigured detection or reporting services could allow attacks to slip through unnoticed. Regular assessments of internal email services for potential security flaws form the second layer of our stack — when in doubt, bring in trusted cybersecurity partners to check for potential weaknesses you may have overlooked.

Layer 3: End-User Access Points

Mobile devices, laptops, tablets and even wearable devices are now connected to secure corporate networks. Add in the growing number of internet of things (IoT) devices, which are often protected by the same login/password combinations that govern business accounts or left completely unsecured behind business firewalls, and it becomes clear that deploying email solutions that target end-user devices is critical.

With 63 percent of IT professionals now reporting that their overall infosec posture is stronger in 2019 than in 2018, end-user devices can still create a considerable opening for attackers, according to Dark Reading. If an organization is too confident in its new cloud security services, security information and event management (SIEM) tools and artificial intelligence (AI)-driven malware analysis, it can be easy to overlook the simplest phishing strategy: compromising a single device for large-scale network access.

Layer 4: The More You Know

Phishing attacks target the weakest link in email security, the user. Seemingly legit emails and urgent requests often convince staff to click on links and download attachments, which can put critical assets at risk. Regular training can account for layer four of our total security solution. Training should include refresher courses as well as occasional phishing attack drills to ensure that staff members are opting for safety over speed.

Layer 5: Social Imperative

Email is a social network. Accordingly, it comes with social imperatives. Users tend to have a sense of entitlement around reliable email services, feel compelled to respond to urgent requests, and believe they’re better than they are at spotting big phish. That’s why we’re closing out our list with recognition of this social imperative and the importance of using targeted techniques to reduce overall risk.

Start with education around how not to draft emails — no urgent subject lines or must-do-right-now demands. Users must be given the time and space to review and report emails they deem suspicious. Security, not speed, must dominate corporate culture. Finally, new AI-driven tools can help nudge users in the right direction if they’re not sure about the legitimacy of new inbox arrivals.

Don’t get caught by phishing emails this year. Stay safe through 2020 by layering up on effective protection across your corporate controls, connections and culture.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today