Raymond Maisano from Cloudflare explains why organisations need to revamp their email security strategy.
The challenge in the war with cyber criminals is that new opportunities open all the time. We need to juggle between putting the right defences to counter new threats and focusing on winning the battles that have been going on for years. Email is one of these battles, and if you thought we had already won this one, think again.
The ACSC 2020-2021 Cyber Threat Report shows that email is still heavily breached, and the consequences are often significant. Just last year, more than 4,600 instances of business email compromise were reported, costing businesses over $81 million. That’s a breach every two hours for an average cost of $17,600 each.
According to Forrester, our problem with emails is our propensity to trust this medium when it is still a ripe target for attackers. It is time to develop scepticism among workers about emails and tighter security policies around them.
A polished social engineering arsenal
With email security, there is an elephant in the room: phishing. Phishing has been around for a long time but has become much more sophisticated. Phishing emails have evolved from dubious-looking emails asking users to click on a link to cleaner, more realistic and legitimate messages, often impersonating colleagues or key stakeholders. These are also more relevant to news cycles, and malicious actors behind them have become experts at social engineering, tapping into both people’s anxieties and trust in emails to increase their campaigns’ performance.
The pandemic has set the perfect environment for these to trick mentally burnt out employees or business leaders desperately looking for solutions to weather the storm. A report from the FBI shows that phishing was the most common cyber crime in 2020, with 240,000 victims leading to a loss of US$50 million – this is two times more than in 2019, and 10 times higher than in 2018. Phishing is causing havoc like never before, and this goes to show that email protection is still a complex battle, even for the most sophisticated organisations.
Email protection: A balancing act
Most phishing attacks and campaigns use email and domain name spoofing. Organisations hoping to reduce phishing should focus on preventing spoofing from impacting their employees, which can be achieved with a zero-trust approach to emails, where only trusted senders can deliver emails to employees. Domain name system (DNS) records, including sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and domain based message authentication reporting and conformance (DMARC) records, have been designed to do just that. These tools primarily exist to optimise email deliverability, ensuring that emails are sent by and delivered to the right people, and reduce the risk that an organisation’s brand or domain name is used for phishing purposes.
But anyone who looked at SPF, DKIM or DMARC records in the past could testify that these are not exactly straightforward and finding the right balance in their configuration may feel like splitting the atom to some organisations. Indeed, if the configuration is too strict, legitimate emails may not be delivered or will be marked as spam, and if it is too loose, the risk of spoofing will remain.
This is a balancing act that many organisations, especially small businesses, are not managing to perform. By the end of 2020, adoption figures published by Dmarc.org showed that more than 50 per cent of domains still do not have a DMARC record, and a significant number that has them are not properly configured. SPF and DKIM have much higher adoption rates, but without a DMARC record, there is no clear enforcement of SPF and DKIM checks.
Because DNS records are still complex to understand, email security solutions have been designed to simplify their configuration and adjustment with a zero-trust mindset that will still allow important emails to be delivered. These solutions often include additional tools such as scanning email activities in real-time, flagging security gaps and offering quick fixes.
Build staff cyber knowledge and awareness
Optimised DNS records are components of a zero-trust approach, but the risk of email vulnerabilities still exists without education at the employee level. Many breaches occur with employees being careless in the way they access and manage their emails, mixing personal and company devices, or sharing sensitive information and data in the wrong places. In fact, 38 per cent of all data breaches reported to the OAIC in the first half of 2021 were due to human errors, and most of these were due to mishandling emails.
Discussing the different aspects of email security and zero trust with employees is critical. A first step is to provide ongoing education on the topic, especially how malicious actors keep developing new and deceiving strategies, and their financial and reputational impact on organisations. Too often, IT teams send warnings to staff when the threat is already impacting them.
With increased awareness, employees will likely be more willing to cooperate and adopt best practices in the way they handle and share the company’s information and data, which is the second step. Employees sometimes welcome zero trust with scepticism and only see the negative impact on their day to day, but with a better understanding of the rationale behind it, there should be more buy-in. This can’t be achieved without the right amount of education and a proper change and internal communication’s strategy.
Wherever organisations are in their security journey, they should always consider their posture towards email security. Even if new and fancy cyber attacks regularly make headlines, emails and phishing are still the main conduits to major data breaches and cyber attacks, and these should get the appropriate attention.
Raymond Maisano is the head of Australia and New Zealand at Cloudflare.