Blog

Why email is one of your company’s most vulnerable access points

Email continues to be a leading method for malware and phishing attacks according to recent industry research.

Karina Aguilera /
Security
Emails: an everyday business tool that could put your business at risk

Whoever said email is dead, was wrong.  Many organisations, large and small, still use email for everyday use due to its convenience. Because it’s so widely used, it’s an easy access point for different types of vulnerabilities such as malware, Trojans and viruses.

Email-based cyber attacks affect almost every industry and company size. According to research from Proofpoint (named by Gartner as a Leader for Enterprise Information Archiving) this was particularly the case for phishing and malware attacks in 2018Q1 and Q2.

The best way to approach email security is to have a holistic view of what can go wrong. This involves educating your employees on the fundamentals of correct online behaviour and the warning signals to look out for. Plus, you need to have technology and processes in place to stop email-based attacks before they happen.

Whether your email client is Outlook or Gmail, there are additional steps your organisation can take to increase threat detection and reduce vulnerabilities that your staff may not necessarily see or recognise as bait.

One of the most difficult aspects of keeping organisations safe online is how quickly the landscape changes. Methods and techniques shift swiftly so there is no confidence to be gained by thinking you have a certain type of cyber attack ‘covered’. You must remain vigilant and have a range of strategies in place.

Where the most recent damage is being done

A snapshot drawn from Proofpoint’s report Protecting People: A Quarterly Analysis of Highly Targeted Cyber Attacks (based on data gathered between June and September 2018) demonstrates the unpredictable nature of cyber attacks.

In fact, 99% of email addresses targeted in this period did not feature in Proofpoint’s previous reports.

This shows that no email address is safe and that security must be robust and flexible. Your employees are your front-line of defence for an email-based attack. Educating and training them is essential to reduce the risk of malware affecting your infrastructure.

Proofpoint’s report also revealed email-based phishing attacks, based on corporate credentials, increased four times as compared with the previous 2018 quarter.

It is the spread of attacks across the levels of an organisation that is most concerning. Lower level employees accounted for 67% of targeted phishing and malware attacks. People in management (from mid-level to C-level) represented about a third. While this is a lower percentage than employees, management is also a much smaller percentage of the workforce. This implies that management was and still is a key target demographic for attackers.

Why email requires particular attention

As Proofpoint observe in their Q22018 Quarterly Threat Report, the human factor is the easiest to exploit in a targeted email-based cyber attack. If the social engineering set-up is clever enough, users will click.

In this inc.com article about 2018 phishing scams, Patrick Peterson, CEO of email security company Agari, concurs. He makes the obvious and profound observation that the reason email scams work so well is that everybody uses email. There is a critical mass factor involved.

The serious impact of insufficient email security

There are three primary ways in which malware delivered via email causes significant damage to organisations: financial, legal and reputational.

Financial:

There are always direct and indirect financial costs resulting from a data breach. The direct costs cover any actual money taken in the breach. Figures cited in the above inc.com article include the estimation (based on the 2017 Internet Crime Report) of $676 million globally was stolen by cyber criminals in 2017. The indirect costs can often be even worse though. The costs to repair and remediate company databases and costs for employees’ time spent on post-breach responses all add up in the end.

Legal:

Regulations and data protection schemes now affect organisations globally. There is the General Data Protection Regulation (GDPR) in Europe and the Notifiable Data Breaches (NDB) scheme here in Australia. Your organisation could face significant fines for compliance breaches under these schemes. You have a due diligence to keep the data of any visitor to your website safe and secure, regardless of where your organisation operates. For example, you could be fined under the GDPR if your data isn’t secured adequately and website visitors from Europe access your site. Email phishing and malware attacks can compromise the data your organisation collects and stores and leave you vulnerable to breaches that you can be held accountable for. There needs to be a shift in how organisations approach cyber security to ensure their own data, and that of their clients and customers is safe.

Reputational:

If your company becomes known as one that allowed significant data breaches or was the victim of a cyber attack that impacted customers, you may attract the wrong kind of press and lose existing customers, potential customers and revenue.

Basic steps to guard against email security threats

Education and Training:

The most important step is at a human level. Make sure your employees are educated on cyber security so they can recognise potential threats and have an understanding of counter measures to put in place.

For example, encourage a culture of reading email subject lines closely and with a critical eye. Again, it’s impossible to identify one single warning sign. The words ‘urgent’, ‘request’ and ‘payment’ numbered as the three most common subject lines in emails delivering malware, according to the Proofpoint report. A word as innocuous as ‘document’ also featured.

Staff should be trained to read any emails with ‘flags’ like these carefully and question:

  • Who would be sending a request for payment in this way?
  • Is it consistent with company procedures?
  • Why would the generic word ‘document’ be used rather than more specific wording?

Anything that seems unusual should be flagged and followed up.

At a higher level – how skilled is your IT team? Can you provide extra training for them? Where are their knowledge gaps? How regularly are you assessing the team and the external environment?

For example, would someone in your team know that URLs are now much more common than attachments as routes for malware and phishing attacks?

If you don’t have the capacity to do this in-house, what are you doing about it?

Technology:

No matter how cautious staff are, attacks will get through. This is why you need to accompany education and training with the latest and most up to date technology. Just as fast as cyber criminals come up with new ways to attack, IT developers are coming up with ways to protect.

You must have a realistic understanding of how vulnerable you are. The worst thing you can do when it comes to email security is assume the best.

Do your research. What solutions are out there? Are they comprehensive enough? Your solution should be dynamic so you can build in both quarantine measures (for incoming and outgoing emails) and blocking measures.

Partnership:

For something as vital as email security it makes sense to engage with a managed service provider and access the knowledge, expertise and technology you may not currently have.

Play it smart and play it safe

You need a comprehensive email security framework that includes people, technology and partnerships and that is regularly assessed and updated.

This is where Nexon can help.

Nexon specialises in email security and can provide end-to-end solutions – including filtering mail before it even gets to your network.

We can run a vulnerability scan (remotely and passively) to give you an initial assessment of your environment.

Get in touch today.