Rethinking E-mail Security
By Karthik Devarajan, Director of IT, Maryland Legal Aid
E-mail is still the top choice for workplace communication in both big and small organizations, with an average office worker sending and receiving 121 e-mails per day (Smith, 2018). Therefore, it is not a surprise that e-mail remains the most exploited security threat in an organization. Businesses invest heavily and focus a lot on protecting and securing the e-mail gateway since blocking any security vulnerability at this point will protect the end user from accidentally clicking a malicious link or opening a rogue attachment. Many organizations stop at just establishing a secure e-mail gateway when it comes to e-mail security. While gateway defense is important, it is only one piece of the entire e-mail security ecosystem. Having a foolproof security system to protect an organization from an e-mail attack might remain an impossible task, but by thinking beyond gateway defense, and approaching e-mail security in a more holistic way, organizations can prevent both internal and external e-mail threats.
Resilience is an often a forgotten or ignored subject when it comes to e-mail security, especially with a wider adoption of Office 365 and Google Suite. Now organizations have no control over uptime and have to rely on Microsoft or Google for business continuity. The common thought process among the IT decision makers was to get away from the business of running and maintaining e-mail servers but the downside to that decision is the uncertainty in service availability at a time of outage. In the past couple years, we have seen multiple instances of either Office 365 or Google Suite outages that left organizations without the ability to send or receive e-mails. Even if you have an on-premises e-mail server, having an e-mail continuity service should be part of the security plan. In addition to e-mail connectivity, resiliency plan should also include built-in backups for e-mails. There are numerous ways a user can experience data loss in e-mails—ransomware which encrypts data, accidental deletion, employees with malicious intent etc. While O365, G Suite or even on-premises Exchange has built-in availability services that ensure data recovery, they have serious limitations especially when it comes to dealing with large data. E.g. recovering e-mails on the folder level or recovering an entire mailbox.
"E-mail protection should not be just restricted to securing the e-mail gateway or having an anti-spam / anti-virus solution"
In recent years, the quality of cyber-attacks especially via e-mail has become sophisticated with the cyber criminals finding creative ways to by-pass the security and human controls. They constantly change their methods and avenues of attack, making it difficult to detect and easy for the user to give up something valuable. Attackers have also started targeting people from all levels of the organization, their customers and even partners. Simply visiting a poisoned site is all is needed now to create havoc not only on your computer but also to the associated shares tied to your account. These typosquatting attacks are typically sent via fraudulent e-mails that appears to come from a legitimate sender. E.g. a spoof e-mail from CEO to CFO requesting fund transfer. These attacks and its variants have to be looked in a broader sense. These attacks, even if it is on a single user, could be a gateway to further attacks at the organization level like domain spoofing, look alike domain spoofing, data leak etc. Despite training and education there will always be users who will invariably click on a bad link. Therefore, it is important that we have a security system in place where you could easily find and stop imposter threats, automatically analyze contents and URL’s and have the ability to keep sensitive information within the confines of the organization when something goes wrong.
In addition to making investments in technology that supports security, organizations should extend the investment to train and educate the users to create a more security conscious environment. Considering today’s mobile workforce with ready access to e-mail any time and any place, the possibility of an end user exposing to a questionable e-mail is quite high. Cyber criminals have realized that tricking people than technology will give them better results. By educating the workforce, you are minimizing the human error responsible for data and security breaches. These trainings should not be just a check-box requirement for compliance purposes rather they should focus on creating awareness about “everything security” within an organization. This includes understanding the right security practices, actions to take if exposed to a security risk, simulation attacks on e-mails etc. These trainings could be made more appealing by incentivizing participants and rewarding good behavior. During a simulation test, if users click on a phishing link, rather than shaming them one should make them feel like being part of a stringent internal security controls. Once you achieve that level of acceptance and awareness, end users could be the solid line of defense against e-mail breaches and be a critical component to e-mail security by being the human firewall.
To summarize, e-mail protection should not be just restricted to securing the e-mail gateway or having an anti-spam/anti-virus solution. The security protection should be on multiple layers with each layers acting as a safety net when things go wrong. If history is any indication, the volume of attacks on e-mails will only go up and the level of sophistication will only rise in the future. An organization can face these discouraging trends only by adopting a comprehensive security approach, which should include resiliency, fraud protection and a human firewall.