Malicious emails are an increasing challenge faced by organisations all over the world. According to research from US telecoms giant Verizon, email was the primary delivery method for 94% of malware in 2019, while statistics from UK-based software firm Egress found that 83% of organisations have been affected by email data breaches.
As email security threats continue to grow, it is clear that businesses must take urgent action against this problem. But how can they do this, exactly? With human error causing 24% of email data breaches, some experts argue that the best way to tackle email security challenges is through user awareness training and personal responsibility.
Other experts, however, believe chief information security officers (CISOs) should address email security first and foremost by using technological solutions. So, ultimately, does email security require a human solution or a technology solution?
Mitigating email security threats
While email is one of the most common communication tools used by employees in the modern workplace, it is also the largest attack vector. Cyber criminals are increasingly distributing phishing emails that contain malicious links and attachments.
Employees should exercise safe computing practices to counter growing email security threats, but senior IT managers are ultimately responsible for email security, says Kevin Curran, IEEE senior member and professor of cyber security at Ulster University.
He says IT teams must have a holistic understanding of and approach to enterprise cyber security, view it as an organisation-wide risk issue, and recognise the legal and regulatory challenges of cyber security threats affecting the business. They should subsequently identify threats to avoid, accept and mitigate before developing specific plans for tackling each case.
Kevin Curran, Ulster University
With employees often oblivious to the security threats emails can pose, they can easily fall victim to cyber crime as a result. To make staff aware of email security issues, IT departments should provide appropriate cyber security training and education. For example, they could offer email best practices and explain the danger of clicking links in emails, says Curran.
He also suggests a popular technique where security teams send employees emails containing fake malware that, when opened, bring them to a website saying they made a mistake and explaining the dangers of their actions. He urges: “Education is crucial.”
Although user awareness is vital, many technical measures also allow businesses to mitigate the threat of malicious emails. One of them, according to Curran, is authenticating incoming emails. He says businesses can mitigate spear phishing campaigns and other attacks originating from spoofed emails through the implementation of methods such as a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain Message Authentication Reporting and Conformance (DMARC).
What makes these solutions particularly effective is that they can verify the IP addresses and domains of the original email servers, says Curran. But he points out that many businesses do not adopt these standards, even though they offer many benefits. Curran adds that businesses should also utilise firewalls, active attachment scanning and web filtering, alongside intrusion detection systems and anti-malware solutions, to crack down on email security threats.
Furthermore, he recommends that businesses restrict user privileges because malware execution is reliant on these, and enable ad-blocking as ransomware is usually distributed on malicious websites.
“Overall, people have to be responsible and alert, but organisations need to have sufficient defences and training in place to ensure email is not the attack vector used,” says Curran.
People are crucial
Humans are the first and most effective line of defence against cyber attacks, according to Tristan Morgan, director of global consultancy and cyber at BT Security.
“Even with the best technology and protections in place, an organisation is only ever as secure as its weakest link, and seemingly insignificant actions like clicking the wrong link can – and regularly do – undermine cyber security systems,” he says.
“It is estimated that one in every 2,000 emails is a phishing attack, and it only takes one attack to be successful for a major cyber incident to unfold.”
Given that more people are working remotely during the coronavirus pandemic, email-based security risks have grown exponentially over the past year. Morgan argues that the best way to tackle this problem is by creating a workplace culture where every employee feels responsible for security.
Tristan Morgan, BT Security
At BT, we have an offensive security team that regularly stress-tests all aspects of our security, including not just cyber, but also physical security and social engineering,” he says.
“This team works to identify the full range of risks and vulnerabilities to our business, allowing us to tailor our strategy and employee training accordingly to meet the changing nature of threats and improve areas where security is found lacking.”
He says businesses must get everyone to buy into the importance of cyber security on an individual level. “Our recent research showed that 45% of employees who suffered a security incident at work did not report it – either because they didn’t know how, or because they chose not to,” explains Morgan.
“This is a huge issue that costs security teams vital response time and mitigation opportunities. We believe that while it is important to train and educate employees to equip them with the tools and awareness to manage cyber threats, it is building advocacy and a sense of personal responsibility towards managing cyber threats among employees that really makes a change to a business’s security.”
A multilayer strategy
Multilayer approaches that rely on both user awareness and technology can also help businesses fight email-based cyber crime. Matthias Maier, security evangelist at Splunk, says such strategies should consist of three levels.
The first of these levels is prevention, where IT security teams use out-of-the-box configuration technology for blocking most phishing emails. The second layer increases human intervention by making users aware of email security risks. That way, employees will be equipped to detect threats that slipped through the prevention stage.
The third layer is the improvement loop stage, where the security operations centre (SOC) analyses email security threats faced by employees to improve the technology layer and use automation to prevent the same issues from happening again.
“Key to the effectiveness of an SOC is that loop between prevention, human intervention and overall improvement. This cycle is what a security operations team typically covers and its efficiency can be dramatically increased with the automation that a SOAR [intelligence, automation, orchestration and response] platform provides to an SOC,” says Maier.
But he warns that technology is only effective when employees perform standard cyber security hygiene, such as flagging suspicious emails they receive. “An organisation needs to ensure it has the right technology, correct security culture among employees and crucially the right people in its SOC who can interpret and act on data to ensure a balanced approach to security,” says Maier.
Boris Cipot, Synopsys
Boris Cipot, senior security engineer at Synopsys, agrees that the best email security strategies comprise both user education and technology-based solutions. “Education is needed for employees to be aware of the risks and dangers that can come from an email. However, we are already way past a simple recognition of phishing attacks,” he says.
“Most phishing emails have become so incredibly sophisticated that it is no longer a case of spotting misspellings or badly written text. A technical solution needs to be deployed to help employees with their decision-making process and education will help them to accept the technical solution as well as any restrictions introduced.”
Nicola Whiting, chief strategy officer at Titania, says organisations can only create robust email systems that are resilient to attack when they focus on both the technology underpinning them and the people using them.
“There are a plethora of solutions that will increase your technical resilience, including encryption, email verification systems such as DMARC, mail and attachment filtering against known threats, and configuring firewalls and other systems to reduce the risk of database exfiltration – especially of information that would result in breaches of privacy legislation such as GDPR [General Data Protection Regulation] or proprietary information that would cause your organisation serious loss,” she says.
Because humans rely on email systems daily, they are an attractive target for cyber criminals. And the best way businesses can make staff aware of this issue is through cyber security training, argues Whiting.
“Email is designed as a communication tool and so, by its very nature, humans are built into your system. They are a wide-ranging access point, and like any access point are vulnerable to exploitation,” she says.
“To reduce that risk involves increasing resilience, through awareness and security training, positive reinforcement of good practice and sharing outcomes, so that everyone is part of the solution, not the problem,” adds Whiting. “Enlightened CISOs realise that humans are not the weakest link, far from it – they have the capability and capacity to provide robust human layer security – provided it’s realised that regular updates to your human firewalls are essential to your (and their) success.”
Increasingly, cyber criminals are using email as their attack vector of choice. With this in mind, businesses must urgently take steps to mitigate growing email security threats. While there is no clear-cut solution to email security, educating staff on the security challenges of emails and using a range of technological solutions can make a big difference.
Does email security need a human solution or a tech solution?