Understanding and implementing email security best practices has never been more important, but enterprises around the globe are still struggling.

Despite its age and pervasive use, email is still one of the top attack vectors when it comes to security breaches. According to a 2017 report, email was the main entry point in 96 percent of cases involving human error that led to a security incident, and 49 percent of malware was installed via email.

This data from Verizon’s “2018 Data Breach Investigations Report” suggests that phishing is still a very effective way to lure users. According to the report, an organization only has 16 minutes until the first click on a phishing campaign. Unfortunately, the first report from a user who recognizes the scam email will only be reported after 28 minutes.

Listen to this podcast to learn how to fight the spear phishing plague

Know the Offense

Matthew Gardiner of email management firm Mimecast noted that “the state of email security is still quote poor” and argued that human error contributes to these security gaps.

“It’s such a difficult area to defend,” he said. “In most organizations, they don’t have the sophisticated controls to defend, so they are dependent on people to do the right thing.”

But depending on users often doesn’t work. Too many malicious emails are still getting through corporate defenses and being served up to end users at a dangerous rate. They don’t always intend to do harm, but end users are still the main cause of breaches. According to the “IBM X-Force Threat Intelligence Index,” 12 percent of attack activity researchers monitored in 2017 were the result of attackers attempting to exploit inadvertent insider weaknesses.

“Email continues to be the obvious target of choice for both low-skilled and high-skilled threat actors,” said Gardiner. “It’s a good return on their investment. Companies can’t turn it off, so of course that leaves it open for attacks.”

How do criminals use email to attack an organization? Let’s take a closer look at some of the most common email security threats outlined in the X-Force report.

Malicious Links

A malicious link in an email directs the recipient to a site where his or her credentials will be harvested. Users think they are on a safe site and are usually responding to an inquiry for information (e.g., “click here to verify your information”). Criminals can gain access to corporate networks or other sensitive information once they have key information from unsuspecting users.

Dropping Malware

If a message contains a malicious attachment, simply opening the file can infect the user’s machine with malware, such as ransomware or keylogging software. Users are usually fooled by being asked to open an attachment that claims to contain financial information, such as an invoice or a bill. This is a very effective technique in business environments.

Business Email Compromise

Business email compromise (BEC) has steadily increased in recent years. Also known as whaling, it involves an attacker who impersonates a high-level executive and tries to trick an employee or customer into transferring money or sensitive data. According to the Internet Crime Complaint Center (IC3)’s “2017 Internet Crime Report,” BEC and email account compromise (EAC) generated the greatest losses, costing victims more than $676 million.

Download the complete 2018 IBM X-Force Threat Intelligence Index

Evaluate Email Security Best Practices and Vulnerabilities

One way to assess your current defense strategy is to start with a phishing simulation, advised Gardiner. Have your security teams craft a mock phishing email and send it out to users. Analyzing the results can be a good first step toward evaluating the level of education and awareness among your organization.

Gardiner also advised organizations to conduct a more technical assessment of their inbound and outbound email to determine how many malicious messages are getting through corporate servers on a daily basis and ensure that sensitive information is not shared with outside parties. Penetration testers can create a more targeted attack simulation using email and give feedback on where weaknesses exist — both human and technical — and how they were able to access sensitive information.

Once security managers have a picture of the state of email security, the next step is to develop a strategy for shoring up defenses.

Consider Managed Security Services

Managed security services (MSS) deliver dedicated expertise to help you address your email security needs, evaluate how your current strategy and platform is performing, and make recommendations about upgrading both software and hardware. A managed email security service provider can offer general guidance and help you set up a solution that integrates spam detection and filtering, antivirus and antispyware, scanning for viruses and worms in messages and attachments, and outbound email encryption. Typically offered through a subscription model, these services are often flexible enough to allow on-site administrators to set up policies and controls that address their organization’s unique needs.

Invest in Awareness Training

Because email is still so pervasive in business communication, it is critical to ensure that users can recognize the red flags in a phishing email and know what to do should they be targeted.

A comprehensive awareness program should educate end users about malicious attachments, dangerous links, common email scams and the techniques used in a spear phishing campaign. Seek out an awareness provider that can tailor training to your organization’s individual risk profile. Keep in mind that the kind of spear phishing techniques threat actors use to target employees working in a financial services firm will be different from those used to target end users in a healthcare clinic.

There are many options and multiple vendors out there that offer awareness training programs for business. Be sure to choose a training strategy that is both appropriate and engaging for your organization.

Take a Layered Approach to Email Security

Perimeter protection, scanning emails and awareness training are individual strategies that are much more effective when used together. The goal of a layered approach to email security is to build a diverse set of defenses. That way, if one line is breached, you can rely on another one as backup.

A layered approach to email security requires a mix of both technology and education. These layers might include mail scanning, perimeter protection served up through a firewall, internal protection such as antispam technology, intelligence reports to stay on top of the latest threats and awareness education so employees can serve as the final line of defense.

Despite all of the other types of messaging platforms available for communication now, email is not going away anytime soon. As long as business use email, criminals will leverage it as an attack vector. Evaluating your email security is critical for a solid, holistic approach to defending against breaches.