IT Focus Area: security
November 4, 2019
4 Things to Know Before You Set Up an Email Security Program
As data breaches and threats continue to increase and intensify, trends show that most successful attackers continue to target your people, rather than your infrastructure. This strategy has proven effective for many attackers, as they bypass the controls set in traditional cybersecurity strategies.
When it comes to data security, there are many different tools and platforms that focus on securing endpoints and your network edge. But, with these types of threats on a consistent rise, organizations need to pivot and adopt a people-centric security strategy that will protect the ways in which your employees interact with the world.
Attackers primarily target through email because it is inexpensive, inherently insecure, and effective. Most organizations are aware that they have email security vulnerabilities, but they’re not sure how to take their email security program to the next level—whether they’re building a new email security program or elevating a current one.
The approach to better email security is a multi-faceted one that touches on many areas of your organization—from advanced threat prevention, detection, and response, to end-user education. While having a handle on threats like credential phishing, business email compromise (BEC), and data loss is crucial, educating users on where and when they should access data and how to properly counteract any threats they receive can play a large part in eliminating vulnerabilities in your organization as well.
4 Ways to enable better email security
Here are four ways you can implement a stronger email security program.
1. Get a good understanding of how your company and employees use data.
Understanding how email is used in your organization to share data and sensitive information is the first step to creating an email security program solution that encompasses your organization’s specific needs. It also helps you maximize your overall security posture.
To assess the type of data being shared and how it’s being accessed, consider the following:
- What volume and type of data is being shared?
- Are end-users accessing high-security documents or drives from unsecure locations?
- Are they sharing this data through a secure, encrypted server?
- When, where and how (tablets, phones, computers) is email and associated data being accessed?
2. Pay attention to email-related risks.
According to Verizon’s 2019 Data Breach Investigations Report, over 90% of data breaches begin with email. Being aware of the threats that email can pose to an organization is essential to understanding what you will need to strengthen your email security.
Common threats related to email include:
- Business email compromise (BEC)
Also referred to as spear phishing, whaling, impersonation, or CEO Fraud, BEC typically targets companies who conduct wire transfers and have suppliers abroad. Since 2013, the FBI has recorded losses to BEC that exceed well over $26B.
- Credential phishing
This occurs when someone steals user credentials and personally identifiable information (PII) by tricking users into voluntarily giving up their login information through a false or compromised login page.
- Loss or compromise of data
A loss or compromise of sensitive data can happen in a variety of ways and have varying effects depending on what types of data are being handled by email and how important they are to your organization.
- Malware or ransomware
These threats can prevent users from accessing their system or personal files and can include demands for payment in order to regain access.
- Account takeover (ATO)
Attackers use attack strategies or stolen credentials to access email accounts. This access bypasses internal security measures and allows the attacker to propagate threats and change account configurations. Can include forwarding a copy of every email to an external account, sending out phishing emails, stealing data or using the stolen information to gain further access to other accounts. Attackers can also enable third-party apps, like Office365 and G-Suite, to ensure persistence in a compromised account, even after password changes.
3. Educate end-users to make better decisions.
Giving the end-user the tools they need to understand, identify and counteract common email threats is the best action you can take to ensure that your email security program is well protected.
To help educate your workforce, you can:
- Offer engaging training content that isn’t time-consuming.
Create training that uses clear, actionable language and allows end-users to fully grasp their role in protecting the organization from email threats.
- Provide immediate user feedback once a threat has been identified.
Alert compromised end-users when they have answered a phishing email to keep them aware of the risk severity and to help them know what to look out for in the future.
- Enable mechanisms for users to report suspicious messages.
Put a well-communicated protocol in place for suspicious emails to empower the end-user to make better decisions when dealing with potential risks.
- Practice with simulated email threats.
Send out threat-like emails to educate employees on what to look out for and to keep email threats top-of-mind in their day-to-day.
4. Remember that no email security platform will be perfect.
It’s important to keep in mind that no matter how selective you are about your email security program parameters, it is wise to incorporate complementary controls to offset uncontrollable breach variables, such as human error.
Some additional controls to consider include:
- Multi-factor authentication (MFA)
MFA provides an additional layer of security or “safety net” that can limit potential damage if credentials are lost or stolen. A common example of MFA is the combination of a password with a one-time token or PIN provided through software on a smartphone or by text message. Without both pieces of information, a user cannot gain access.
- Strong endpoint and network-level visibility
Endpoint anti-virus and endpoint detection and response (EDR) solutions are an important security layer that can further prevent malware (including ransomware) from successfully installing on an endpoint. Visibility into your network traffic (east-west and north-south) will help you analyze suspicious packets and payloads, and can prevent such threats from reaching their destination.
- Strong web security
Credential phishing is sent via email but realized over the web when someone clicks on a link. Ensure that you have strong controls in place to inspect web traffic to prevent navigation to credential phishing sites and the download of later-stage malware (macros in weaponized files often run scripts to download a final malicious payload).
- User and entity behavior analysis (UEBA)
UEBA identifies anomalous activity like location and device access, strange email rules, and more. This is especially critical for platforms like Office365 where OneDrive and SharePoint are quickly brought into scope in relation to data loss.
What to consider when choosing an email security vendor
Your email security program needs to fit your needs now, and scale for the future. The right technology partner can help you build it. The following graphic outlines questions in mind when selecting a vendor:
Build a Better Email Security Program
Implementing an effective email security strategy isn’t as easy as picking an out-of-the-box program. Your organization’s program should reflect and protect your specific needs. Technology is constantly evolving, making it essential for you to first be aware of email security trends and how your organization functions in relation to emails. Once you understand your data usage and email risks, your users can be trained to help protect the first and combat the second. Taking a proactive and comprehensive approach will enable you to build the most effective email security program for you—both today and into the future.