By Jared Hrabak, Consulting Cybersecurity Engineer
It wasn’t too long ago when I recall water cooler musings about ‘email becoming a thing of the past.’ In theory, we’d be using instant communication channels such as social media direct messaging (think Twitter and Instagram DM) or chat apps like Slack and Teams. Work would be breezing by like a well-oiled machine, we’d be checking things off the to-do list like crazy, productivity would skyrocket, and average REM sleep hours would be at an all-time high (with no to-do’s looming, who wouldn’t sleep better at night)? Nirvana, yes? Well, nope.
Even internationally recognized publications like Inc. Magazine boldly published articles on the predictions of the demise of email (check out this 2015 piece, “Why Email Will Be Obsolete By 2020”). To his credit, it was a courageous OpEd piece, and like me, the author is a mere mortal: unable to predict the future. I only hope he didn’t bank his 5-year promotion plan on it.
Unfortunately for the average human, email is still a very present and necessary reality. And for many, inboxes are filled to the brim, all day, every day, like Lumberg’s corporate coffee mug. Fortunately for hackers, that’s the best news of the century. When the pandemic forced so many additional people to work remotely, email volume increased, and so did the attacks. By some estimates, 79% of organizations were hurt by email attacks last year, 40% fell short of necessary email protections, and 13% still don’t have an email security solution at all.
Wait… whhhhaaaaaaaatt…?!?!
I previously shared plenty of other hair-raising industry facts about email security, so I won’t add more now. However, what I will add is really the focus of this post. I see many organizations that have serious cybersecurity challenges around their email (e.g., email security gateway, ‘friendly from’ fraud, and malicious URLs and attachments, etc.), and their current tools and resources aren’t even scratching the surface of what’s possible in terms of email protection. In short, they’ve got some glaring gaps.
More importantly, I’ll share what they (and you) can do about it if you think you might have gaps too… and fast.
4 Critical Features Your Email Security Tool Should Include
To my points above, email is still alive and well and is the number one most used corporate tool, making it the number one attack vector for cybercriminals. In this post, I’ll cover a few key features that your email security tool should offer or some variation thereof at a minimum. I’ll also cover some resources to help you evaluate your current posture on email security should you lack the necessary in-house skills or bandwidth.
1. Secure the Email Gateway with a Multi-Layer Strategy
Many email security providers offer a single-layered protection approach using anti-virus and anti-spam. While that may have been enough ten-plus years ago, today’s threats are growing more sophisticated, targeted, and dangerous by the day. The range of attack types spans from phishing and malicious URLs to impersonation and ransomware, so using more rudimentary email security tools to protect against today’s threats is like taking a twig to a laser battle.
A more robust solution for securing the email gateway should include anti-virus and anti-spam, as well as a layer of additional protections such as DNS authentication (SPF, DKIM, DMARC) to protect against sender spoofing. Other baseline features should include URL link protection, attachment protection, and impersonation protection. I’ll dive into more on each.
2. URL Link Protection
You may think inspecting URLs at initial delivery is enough, but it’s simply not anymore. Hackers bypass this by offering a benign site that bypasses security and then changes to a malicious one later. Then users from various systems and endpoint devices click away… and bam. They’re in.
A multi-step URL protection solution not only blocks obvious malicious URLs at delivery, but it should also scan pre-click and post-click and offer on-click employee education. That means employees can get a notice from your tool on whether or not a URL link is safe before clicking. The security team can also set up URL rewrites and know exactly who’s clicked on what URL, then rewrite the URL before a click to push it through another security layer. With that kind of data in hand, security teams can better analyze logs to identify trends in incidents where vulnerabilities may still exist.
3. Attachment Protection
This may sound like a ‘ho hum’ feature that’s pretty standard nowadays; however, modern attachment protection solutions are based on ‘sandboxing.’ Newer toolsets safely convert attachments into PDF documents that are ‘defanged’ in the process, removing any embedded document links.
Better still, the solution doesn’t delay the email and attachment from being delivered. Once identified as legitimate and safe, employees can request the original file and have it scanned upon delivery if needed. For employees and security teams alike, this is a great way to save time, frustration, and money.
4. Friendly From Spoofing
So, here’s the golden nugget of the blog: “friendly from spoofing,” or impersonation. This is tricking employees by posing as a senior-level employee, often the CEO or CFO, and devising a seemingly ‘legitimate’ email with a compelling, time-sensitive request for some asset, typically credentials, data, or money.
In one case, a CEO was spoofed with a relatively well-contrived email to the CFO requesting that a reasonable sum of money was needed quickly, let’s say $12k, for a down payment to secure an upcoming sales kickoff meeting venue. In another case, the CEO was spoofed in an email to marketing requesting a stock of a hundred $100 Amazon gift cards for the sales team to use as incentives in their day-to-day sales efforts.
To their credit, the hackers are improving in sophistication, and these kinds of emails are often written quite well so as not to trigger suspicion. They frequently use ‘cousin’ domains, so the ‘from’ email address looks so close to the correct one that it’s easily overlooked: e.g., www.micro-age.com, instead of www.microage.com. The most common ‘from’ types of impersonation attacks are internal executives, partners, and well-known Internet brands.
Your email security tool should offer real-time scanning of all emails for header anomalies, domain discrepancies, suspect body content, and partner and third-party exploitation. Ideally, it also gives your administrator specific controls over handling suspect emails and sets up a centralized policy management process to maintain consistency in your email security posture.
In the End… Well, There is No End
I’d love to finish this blog with, “Well, that’s ALL folks!” However, I simply can’t. The reality is we’re battling against evolving threats continually being re-engineered and advanced by creative, albeit dark, humans in the shadows of society. With the kind of statistics at hand about how many attacks start through email, this is a CEO issue, in my humble opinion. There needs to be a culture of security awareness that starts from the top and permeates every fiber of the company, whether you have ten employees or 10,000+.
Where to Begin with Email Security
So, what’s next? By now, you may be thinking, “Oh, my email security tool is probably enough just to send them elsewhere.” Are you willing to take that risk after everything you just read?
Certainly, that’s your prerogative, but I can’t say I’d get behind that one. My recommendation is to start with a simple assessment of your existing tool to find out where the gaps truly lie and what you can do to close them effectively and affordably. So to end on a more positive, good news note: we can help you evaluate where you stand today and where you need to be based on your existing investments and environment.
Is your e-mail protection doing all it should?
Let’s talk
Contact us today at (800) 544-8877 about starting a ‘health check assessment,’ and we’ll help you advance the ball.
“As a Cybersecurity Engineer, Jared partners with clients to help them identify product solutions that match their cybersecurity governance, risk and compliance objectives. He enjoys educating and advocating for a successful cybersecurity practice by focusing on client success. Jared brings a wealth of experience in content filtering, cybersecurity operations, and military service to help put clients on the path to success.”
Jared HrabakConsulting Cybersecurity Engineer