Email security remains a top priority in 2019 as organizations continue to face the threat of costly email compromise. The email attack surface is also expanding. Despite growing use of cloud-based collaboration tools and SMS for business, email remains the most common method for exchanging corporate information, with 74 percent of survey respondents choosing email as their preferred method of communication, according to a SendGrind study.

So it’s no surprise that phishing and spam still take the top spot for overall malware delivery. As Business 2 Community noted, 92 percent of malware is delivered via email. As a result, layered email security remains the best way to protect critical assets and reduce the risk of compromise — but this isn’t a static solution. Evolving attack methods and changing email use cases demand dynamic, multi-level defenses capable of identifying threats as they arrive, eliminating them in real time and remediating any damage they cause.

Here’s what you need to know about layering up security to limit email risk as we move into the new year.

What Is Layered Email Security?

Layers limit risk. This is the case for both email security and physical asset protection, as the more layers there are, the harder attackers have to work. Consider an office building. While break-in alarms can alert an organization if windows are smashed or doors are kicked down, they’re also necessarily reactive. But if you add in security cameras, motion sensors, two-way communications and secure areas with separate locking systems, burglars won’t get far.

Similarly, security best practices such as two-factor authentication (2FA) and location-based user identification can help limit the risk of compromise, but these single layers — no matter how deep or wide — offer finite protection. Layered approaches, meanwhile, frustrate malicious actors in different ways at every step of the security process.

Phishing Attacks: New Methods, Classic Pitfalls

While 2017 saw a sharp decline in the overall number of phishing attacks, this trend was short-lived. As HackRead noted, phishing attacks were up 250 percent through 2018, and while some of these shiny hooks included brand-new attack methods, Help Net Security reported that golden oldies like brand impersonation are also making a comeback.

Some of the most popular phishing attack types this year have included:

  • Fake attachments: If it looks too good to be true, don’t click it. From fake invoices to video files and special offers, attackers often use fake attachments to bypass security measures.
  • Credential hooks: Seemingly legitimate credential concerns are often used in business email compromise (BEC) attempts. Users believe their corporate or personal accounts have been hijacked and enter login data at attacker-created links, exposing their credentials.
  • Office impostors: Threat actors have gotten better at writing convincing emails that sound like they’re coming from the CEO, CFO or direct office supervisors. With social engineering now underpinning 97 percent of all malware attacks, according to Business 2 Community, office impostors are increasingly problematic.
  • Domain spoofing: If links appear to be from legitimate domains, recipients are more likely to click through. Attackers are now lifting webpage graphics, text and fonts so fake links look more like the real thing.
  • Brand impersonation: Microsoft, Google, Amazon — Attackers recognize the trust placed in many popular brands by business users, and so they’ve gone back to basics with effective impersonations that often elude suspicion.
  • Outside-the-box efforts: As ZDNet noted, cybercriminals are also thinking outside the box with threat vectors such as server-parsed HTML (SHTML), file attachments that automatically direct users to websites requesting financial information.

With the phishing pool digging deeper and leveraging surface-level techniques, layered email security is critical. Let’s dive into the effects of six different layers on overall infosec efforts.

Layer 0: Eliminate Spam

If you’re not sure how to secure email, start with spam.

In 2019, more than 4.7 billion phishing emails were sent every day to businesses and individuals around the world. Effective spam tools are a requirement to catch the most obvious examples before they can infiltrate local devices and potentially compromise credentials. Here, organizations need advanced detection solutions that do more than white-list common addresses. With spoofing on the rise, it’s a good idea to use multiple tools connected by a unified management framework to reduce the chances of spam getting through.

Layer 1: Seeing Is Deceiving

It’s not enough to look for an email threat as it approaches your server stack — the sheer volume and variety of phishing attempts demand threat intelligence tools capable of tracking common attack vectors, collecting relevant data and analyzing key spam behavior. This provides the foundation for layered protection that looks, listens and learns to improve overall defense.

Layer 2: The Inside Job

Internal configuration is a key component of layered email security. While many business mail servers and email solutions offer anti-spam and anti-malware detection, the increasing use of cloud-based services across multiple vendors means that misconfigured detection or reporting services could allow attacks to slip through unnoticed. Regular assessments of internal email services for potential security flaws form the second layer of our stack — when in doubt, bring in trusted cybersecurity partners to check for potential weaknesses you may have overlooked.

Layer 3: End-User Access Points

Mobile devices, laptops, tablets and even wearable devices are now connected to secure corporate networks. Add in the growing number of internet of things (IoT) devices, which are often protected by the same login/password combinations that govern business accounts or left completely unsecured behind business firewalls, and it becomes clear that deploying email solutions that target end-user devices is critical.

With 63 percent of IT professionals now reporting that their overall infosec posture is stronger in 2019 than in 2018, end-user devices can still create a considerable opening for attackers, according to Dark Reading. If an organization is too confident in its new cloud security services, security information and event management (SIEM) tools and artificial intelligence (AI)-driven malware analysis, it can be easy to overlook the simplest phishing strategy: compromising a single device for large-scale network access.

Layer 4: The More You Know

Phishing attacks target the weakest link in email security, the user. Seemingly legit emails and urgent requests often convince staff to click on links and download attachments, which can put critical assets at risk. Regular training can account for layer four of our total security solution. Training should include refresher courses as well as occasional phishing attack drills to ensure that staff members are opting for safety over speed.

Layer 5: Social Imperative

Email is a social network. Accordingly, it comes with social imperatives. Users tend to have a sense of entitlement around reliable email services, feel compelled to respond to urgent requests, and believe they’re better than they are at spotting big phish. That’s why we’re closing out our list with recognition of this social imperative and the importance of using targeted techniques to reduce overall risk.

Start with education around how not to draft emails — no urgent subject lines or must-do-right-now demands. Users must be given the time and space to review and report emails they deem suspicious. Security, not speed, must dominate corporate culture. Finally, new AI-driven tools can help nudge users in the right direction if they’re not sure about the legitimacy of new inbox arrivals.

Don’t get caught by phishing emails this year. Stay safe through 2020 by layering up on effective protection across your corporate controls, connections and culture.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers.According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately infected…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…