Email security remains a top priority in 2019 as organizations continue to face the threat of costly email compromise. The email attack surface is also expanding. Despite growing use of cloud-based collaboration tools and SMS for business, email remains the most common method for exchanging corporate information, with 74 percent of survey respondents choosing email as their preferred method of communication, according to a SendGrind study.
So it’s no surprise that phishing and spam still take the top spot for overall malware delivery. As Business 2 Community noted, 92 percent of malware is delivered via email. As a result, layered email security remains the best way to protect critical assets and reduce the risk of compromise — but this isn’t a static solution. Evolving attack methods and changing email use cases demand dynamic, multi-level defenses capable of identifying threats as they arrive, eliminating them in real time and remediating any damage they cause.
Here’s what you need to know about layering up security to limit email risk as we move into the new year.
What Is Layered Email Security?
Layers limit risk. This is the case for both email security and physical asset protection, as the more layers there are, the harder attackers have to work. Consider an office building. While break-in alarms can alert an organization if windows are smashed or doors are kicked down, they’re also necessarily reactive. But if you add in security cameras, motion sensors, two-way communications and secure areas with separate locking systems, burglars won’t get far.
Similarly, security best practices such as two-factor authentication (2FA) and location-based user identification can help limit the risk of compromise, but these single layers — no matter how deep or wide — offer finite protection. Layered approaches, meanwhile, frustrate malicious actors in different ways at every step of the security process.
Phishing Attacks: New Methods, Classic Pitfalls
While 2017 saw a sharp decline in the overall number of phishing attacks, this trend was short-lived. As HackRead noted, phishing attacks were up 250 percent through 2018, and while some of these shiny hooks included brand-new attack methods, Help Net Security reported that golden oldies like brand impersonation are also making a comeback.
Some of the most popular phishing attack types this year have included:
- Fake attachments: If it looks too good to be true, don’t click it. From fake invoices to video files and special offers, attackers often use fake attachments to bypass security measures.
- Credential hooks: Seemingly legitimate credential concerns are often used in business email compromise (BEC) attempts. Users believe their corporate or personal accounts have been hijacked and enter login data at attacker-created links, exposing their credentials.
- Office impostors: Threat actors have gotten better at writing convincing emails that sound like they’re coming from the CEO, CFO or direct office supervisors. With social engineering now underpinning 97 percent of all malware attacks, according to Business 2 Community, office impostors are increasingly problematic.
- Domain spoofing: If links appear to be from legitimate domains, recipients are more likely to click through. Attackers are now lifting webpage graphics, text and fonts so fake links look more like the real thing.
- Brand impersonation: Microsoft, Google, Amazon — Attackers recognize the trust placed in many popular brands by business users, and so they’ve gone back to basics with effective impersonations that often elude suspicion.
- Outside-the-box efforts: As ZDNet noted, cybercriminals are also thinking outside the box with threat vectors such as server-parsed HTML (SHTML), file attachments that automatically direct users to websites requesting financial information.
With the phishing pool digging deeper and leveraging surface-level techniques, layered email security is critical. Let’s dive into the effects of six different layers on overall infosec efforts.
Layer 0: Eliminate Spam
If you’re not sure how to secure email, start with spam.
In 2019, more than 4.7 billion phishing emails were sent every day to businesses and individuals around the world. Effective spam tools are a requirement to catch the most obvious examples before they can infiltrate local devices and potentially compromise credentials. Here, organizations need advanced detection solutions that do more than white-list common addresses. With spoofing on the rise, it’s a good idea to use multiple tools connected by a unified management framework to reduce the chances of spam getting through.
Layer 1: Seeing Is Deceiving
It’s not enough to look for an email threat as it approaches your server stack — the sheer volume and variety of phishing attempts demand threat intelligence tools capable of tracking common attack vectors, collecting relevant data and analyzing key spam behavior. This provides the foundation for layered protection that looks, listens and learns to improve overall defense.
Layer 2: The Inside Job
Internal configuration is a key component of layered email security. While many business mail servers and email solutions offer anti-spam and anti-malware detection, the increasing use of cloud-based services across multiple vendors means that misconfigured detection or reporting services could allow attacks to slip through unnoticed. Regular assessments of internal email services for potential security flaws form the second layer of our stack — when in doubt, bring in trusted cybersecurity partners to check for potential weaknesses you may have overlooked.
Layer 3: End-User Access Points
Mobile devices, laptops, tablets and even wearable devices are now connected to secure corporate networks. Add in the growing number of internet of things (IoT) devices, which are often protected by the same login/password combinations that govern business accounts or left completely unsecured behind business firewalls, and it becomes clear that deploying email solutions that target end-user devices is critical.
With 63 percent of IT professionals now reporting that their overall infosec posture is stronger in 2019 than in 2018, end-user devices can still create a considerable opening for attackers, according to Dark Reading. If an organization is too confident in its new cloud security services, security information and event management (SIEM) tools and artificial intelligence (AI)-driven malware analysis, it can be easy to overlook the simplest phishing strategy: compromising a single device for large-scale network access.
Layer 4: The More You Know
Phishing attacks target the weakest link in email security, the user. Seemingly legit emails and urgent requests often convince staff to click on links and download attachments, which can put critical assets at risk. Regular training can account for layer four of our total security solution. Training should include refresher courses as well as occasional phishing attack drills to ensure that staff members are opting for safety over speed.
Layer 5: Social Imperative
Email is a social network. Accordingly, it comes with social imperatives. Users tend to have a sense of entitlement around reliable email services, feel compelled to respond to urgent requests, and believe they’re better than they are at spotting big phish. That’s why we’re closing out our list with recognition of this social imperative and the importance of using targeted techniques to reduce overall risk.
Start with education around how not to draft emails — no urgent subject lines or must-do-right-now demands. Users must be given the time and space to review and report emails they deem suspicious. Security, not speed, must dominate corporate culture. Finally, new AI-driven tools can help nudge users in the right direction if they’re not sure about the legitimacy of new inbox arrivals.
Don’t get caught by phishing emails this year. Stay safe through 2020 by layering up on effective protection across your corporate controls, connections and culture.