Why Email Security is a CEO Issue & How to Close the Gaps
By Jared Hrabak, Consulting Cybersecurity Engineer, cStor
It wasn’t too long ago when I recall water cooler musings about ‘email becoming a thing of the past.’ In theory, we’d be using instant communication channels such as social media direct messaging (think Twitter and Instagram DM) or chat apps like Slack and Teams. Work would be breezing by like a well-oiled machine, we’d be checking things off the to-do list like crazy, productivity would skyrocket, and average REM sleep hours would be at an all-time high (with no to-do’s looming, who wouldn’t sleep better at night)? Nirvana, yes? Well, nope.
Even internationally recognized publications like Inc. Magazine boldly published articles on the predictions of the demise of email (check out this 2015 piece, “Why Email Will Be Obsolete By 2020”). To his credit, it was a courageous OpEd piece, and like me, the author is a mere mortal: unable to predict the future. I only hope he didn’t bank his 5-year promotion plan on it.
Unfortunately for the average human, email is still a very present and necessary reality. And for many, inboxes are filled to the brim, all day, every day like Lumberg’s corporate coffee mug. Fortunately for hackers, that’s the best news of the century. With COVID forcing so many additional people to work remotely, email volume increased, and so did the attacks. By some estimates, 79% of organizations were hurt by email attacks in 2020, 40% fall short of necessary email protections, and 13% still don’t have an email security solution at all.
I shared plenty of other hair-raising industry facts in another blog about why you should never take a ‘good enough’ approach to email security (also worth a read), so I won’t add more now. However, what I will add is really the focus in this post. I see many organizations that have serious cybersecurity challenges around their email (e.g. email security gateway, ‘friendly from’ fraud, and malicious URLs and attachments, etc.), and their current tools and resources aren’t even scratching the surface on what’s possible in terms of email protection. In short, they’ve got some glaring gaps.
More importantly, I’ll share what they (and you) can do about it if you think you might have gaps too… and fast.
4 Critical Features Your Email Security Tool Should Include
To my points above, email is still alive and well and is the number one most used corporate tool, which also makes it the number one attack vector for cybercriminals. In this post, I’ll cover a few key features that your email security tool should offer or some variation thereof at a minimum. I’ll also cover some resources to help you evaluate your current posture on email security should you lack the necessary in-house skills or bandwidth.
1. Secure the Email Gateway with a Multi-Layer Strategy
Many email security providers offer a single-layered protection approach using anti-virus and anti-spam. While that may have been enough ten-plus years ago, today’s threats are growing more sophisticated, targeted and dangerous by the day. The range of attack types spans from phishing and malicious URLs to impersonation and ransomware, so using more rudimentary email security tools to protect against today’s threats is like taking a twig to a laser battle.
A more robust solution for securing the email gateway should include anti-virus and anti-spam, as well as a layer of additional protections such as DNS authentication (SPF, DKIM, DMARC) to protect against sender spoofing. Other baseline features should include URL link protection, attachment protection and impersonation protection. I’ll dive into more on each.
2. URL Link Protection
You may think inspecting URLs at initial delivery is enough, but it’s simply not anymore. Hackers bypass this by offering a benign site that bypasses security and then changes to a malicious one later. Then users from a variety of systems and endpoint devices are clicking away… and bam. They’re in.
A multi-step URL protection solution not only blocks obvious malicious URLs at delivery, but it should also scan pre-click and post-click as well as offer on-click employee education. That means employees can get a notice from your tool on whether or not a URL link was safe before clicking. The security team can also set up URL rewrites and know exactly who’s clicked on what URL, then rewrite the URL before a click to push it through another security layer. With that kind of data in hand, security teams can better analyze logs to identify trends in incidents where vulnerabilities may still exist.
3. Attachment Protection
This may sound like a ‘ho hum’ feature that’s pretty standard these days; however, modern attachment protection solutions are based on ‘sandboxing.’ Newer toolsets safely convert attachments into PDF documents that are ‘defanged’ in the process, removing any embedded document links.
Better still, the solution doesn’t delay the email and attachment from being delivered. Once identified as legitimate and safe, employees can request the original file and have it scanned upon delivery if needed. For employees and security teams alike, this is a great way to save time, frustration and money.
4. Friendly From Spoofing
So here’s the golden nugget of the blog: “friendly from spoofing,” or impersonation. This is tricking employees by posing as a senior-level employee, often the CEO or CFO, and devising a seemingly ‘legitimate’ email with a compelling, time-sensitive request for some asset, typically credentials, data or money.
In one case, a CEO was spoofed with a relatively well-contrived email to the CFO requesting that a reasonable sum of money was needed quickly, let’s say $12k, for a down payment to secure an upcoming sales kickoff meeting venue. In another case, the CEO was spoofed in an email to marketing requesting a stock of a hundred $100 Amazon gift cards for the sales team to use as incentives in their day-to-day sales efforts.
To their credit, the hackers are improving in sophistication, and these kinds of emails are often written quite well so as not to trigger suspicion. They frequently use ‘cousin’ domains, so the ‘from’ email address looks so close to the correct one that it’s easily overlooked: e.g. www.C-STOR.com, instead of www.cstor.com. The most common ‘from’ types of impersonation attacks are internal executives, partners and well-known Internet brands.
Your email security tool should offer real-time scanning of all emails for header anomalies, domain discrepancies, suspect body content, and partner and third-party exploitation. Ideally, it also gives your administrator specific controls over how to handle suspect emails and sets up a centralized policy management process so consistency in your email security posture can be maintained.
In the End… Well, There is No End
I’d love to finish this blog with “well, that’s ALL folks!” However, I simply can’t. The reality is we’re battling against evolving threats continually being re-engineered and advanced by creative, albeit dark, humans in the shadows of society. With the kind of statistics at hand about how many attacks start through email, this is a CEO issue in my humble opinion. There needs to be a culture of security awareness that starts from the top and permeates every fiber of the company, whether you have 10 employees or 10,000+.
Where to Begin
So, what’s next? By now, you may be thinking, “Oh, my email security tool is probably enough just to send them elsewhere.” Are you willing to take that risk after everything you just read?
Certainly, that’s your prerogative, but I can’t say I’d get behind that one. My recommendation is to start with a simple assessment of your existing tool to find out where the gaps truly lie and what you can do to close them effectively and affordably. So to end on a more positive, good news note: cStor can help you evaluate where you stand today, and where you need to be, based on your existing investments and environment. Just drop us a line or contact your AM to ask about starting a ‘health check assessment,’ and we’ll help you advance the ball.