Email is a key area of vulnerability for phishing and ransomware attacks, yet email is central to productivity. In part two of our cybersecurity series, we’re looking at both the technology and the human aspects of email security, and how companies can shore up this potential weakness.
Email is frequently at the root of a security breach – users may click on a link or an attachment in a phishing email that has bypassed security filters, and that’s the first step towards trouble. The attachment may execute a piece of malicious code, or the link may lead them to a spoofed website that looks genuine, but where any sensitive information they enter can be used by attackers to penetrate further into the company’s network.
Introducing cloud security for email
The good news is that with the emergence of cloud-based security platforms, improved email security is within reach. As companies have moved to hosted services for productivity applications, such as Office 365, security controls have also migrated to the cloud. This means many potential attacks can be caught early, as email can be routed first to a third-party security service, where any incoming attachments or embedded links can be automatically probed to see whether they pose a risk. This allows the majority of problems to be intercepted before they reach someone’s inbox.
These security controls need to be complemented by good IT practice, however. Companies need to get the basics right, like ensuring their DNS settings and other configurations are secure, so attackers can’t send fake emails that appear to originate from the company. This sounds obvious but in our experience, most security attacks take advantage of the fact that companies have overlooked the basics.
The move toward Data Loss Prevention for email security
The cybersecurity landscape continues to evolve, and an important change for leadership teams to educate themselves on is Data Loss Prevention (DLP). This discipline covers a lot of areas, but in general in this context it provides intelligent protection to outgoing email in such a way that sensitive information that may be included in the email, e.g. a credit card or PPS number, is automatically detected and can either be blocked or access-controlled. A related data classification and Information Protection control can also enforce permissions that follow the information after it has left the company.
For instance, Information Protection logic can be applied to business documents so that they can be emailed, and the recipient can open them, but they can’t be forwarded or printed. Or, an outgoing document can be given time-limited access, so that recipients can only view it for a week, after which it will become inaccessible.
DLP systems like these also have the advantage of protecting users from their own mistakes, like sending an email to an external contact instead of a colleague, because their email address was similar to the correct recipient’s. DLP security could prevent the receiver from opening the attachment, minimising the damage and potential GDPR problems that might otherwise be caused.
For DLP systems like these to function, however, the company must have already classified business documents so that access permissions can be applied and enforced. We always recommend that companies take a broad, not over-specific approach: simply classifying document types as Secret, Company Confidential or Public is enough to get started with a data classification system.
The weakest link
Email poses quite a complex security challenge, with both technological and human components. The best email security in the world is not sufficient without good security awareness among employees. And even the most experienced users can be fooled, for example, by an urgent-sounding email which has been well-crafted and spoofed due to poor security controls.
Common examples are emails that come from Payroll which are timed to arrive just before payday, asking the recipient to confirm their banking details before the month’s wages are paid; or emails spoofed from suppliers to change bank account details for payments.
For companies who are serious about taking a more strategic approach to cybersecurity protection, we always recommend an active user education program, with periodic email tests of employees to see if they click on links or attachments in a sample malicious email. Afterwards, follow up with information that helps them spot the warning signs they may have missed in the email.
Results prove that periodic email testing of employees works. We’ve seen cases where 75% of employees click the first suspicious email test, and in subsequent months those numbers fall to just 10%. That’s not perfect, but it’s excellent progress in tackling the weakest link – which, in cybersecurity, will always be human.
Some of the best education programmes gamify the process, rather than berating employees who get it wrong. Remember that effective, company-wide cybersecurity needs everyone to pull together. That means you need to win hearts and minds, not name and shame.
Find out more about Evros managed security services here.