Mark Lukie from Barracuda explains how organisations can bolster email security amid heightened vulnerabilities off the back of the shift to remote work.
In response to COVID-19, organisations worldwide shifted rapidly to remote working at scale using email, conferencing apps and a range of other tools to enable isolated staff to work, communicate and collaborate.
They made extensive use of internal communications apps to support this sudden and significant upsurge in remote access to corporate IT resources. Many adopted cloud computing to support remote workers.
This greatly increased their exposure to cyber criminals, and the consequences can be seen in the surging cost of data breaches.
According to the Ponemon Institute’s annual Cost of a Data Breach Report 2021, the average cost of a data breach in 2021 – US$S4.24 million ($5.76 million) – was the highest in the 21-year history of the report. And it found the average cost to be US$1.07 million ($1.45 million) higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor.
So, to help organisations better protect themselves from the costly consequences of a data breach, here are some of the most common attack techniques and ways to prevent them.
B2B email practices
B2B retailers trading with e-commerce make extensive use of email. For many, personalised emails are their primary, and most effective marketing tool, as measured by ROI.
Unfortunately, email has multiple uses and marketing messages must share recipients’ inboxes with many other messages from many sources, which makes email a favoured attack channel for bad actors of all kinds. Email is notoriously insecure, and therefore widely exploited by cyber criminals: 45 per cent of all emails are spam, 14.5 billion messages every day. Organisations are routinely able to filter out most of these, but the criminals are getting better at finding ways to bypass these filters and cause significant damage.
Losses from business email compromise (BEC) reported to the FBI’s Internet Crime Complaint Center (IC3) totalled US$2.1 billion ($2.9 billion) in the years 2014-19. These attacks were delivered through just two popular cloud-based email services.
At the same time, the Barracuda Spear Phishing: Top Threats and Trends Vol.7 - Key Findings On The Latest Social Engineering Tactics And The Growing Complexity of Attacks report found that in 2021 cyber criminals sent out three million messages from 12,000 compromised accounts. Approximately 500,000 Microsoft 365 accounts were compromised.
There are many contributions to the costs these have on organisations in addition to any amount extorted by the criminals: damage to brand image, lost productivity, lost revenue, investigation and remediation costs.
Most businesses are well aware of the potential costs of a successful cyber attack, but less than half have the right tools to respond appropriately.
The most widely used email attack techniques are spoofing, spear phishing and malware. Then there are the more complex attacks: brand and domain impersonation and lateral phishing.
Spam emails lure the recipient into clicking a link or opening an attachment, actions that result in the user downloading malware files that contain software able to infiltrate company networks and access sensitive information, including personal data. Generally, the victim is unaware they have been compromised, and the attack is only discovered after it has achieved its purpose.
The intent of a spear-phishing email is the same as spam, but the email is crafted to be specific to the targeted individual to allay their suspicions and get them to believe it comes from a known and trusted source.
In a survey undertaken by Barracuda, reported in May 2020, 43 per cent of organisations were found to have been impacted by spear phishing in a 12-month period, and only 23 per cent of organisations surveyed said they had dedicated spear-phishing protection in place. Another Barracuda report in March 2022 found that 51 per cent of social engineering attacks are phishing.
Cyber criminals use social engineering, including social media profiles, to gather detailed information about their intended victim, the victim’s organisation and their contacts and colleagues. They use this information to make phishing emails hard to detect because they appear to come from a known and trusted source.
In an even more sophisticated attack, often known as CEO fraud, the attacker convinces the victim that they are a known higher authority and tricks the victim by making a request for an urgent funds transfer.
Data attacks: Exfiltration, extortion and ransoms
If an attacker gain access to an organisation’s sensitive data, they might threaten to disclose it, embarrassing that organisation and possibly putting them in breach of data protection laws. Or they might encrypt the data and demand a ransom to restore access.
Protection is paramount
Client devices and servers holding sensitive data all need to be protected with strong security technologies, but employee awareness is also important: employees need to be trained to recognise spam and phishing emails. However, as attackers get smarter and more sophisticated, user awareness will no longer be sufficient protection.
Email servers need strong safeguards to detect and block such attacks. They need gateway defence with AI-enabled inbox protection to protect against all email threat types. The AI can detect email features indicative of spam and phishing attacks.
Mark Lukie is the APAC sales engineer manager at Barracuda.