Email Security Is Keeping Security Leads Awake At Night– What Can Be Done?

The challenge of email security is only getting worse. Data from Proofpoint in its recent State of the Phish 2023 report shows that 90 percent of security

The challenge of email security is only getting worse. Data from Proofpoint in its recent State of the Phish 2023 report shows that 90 percent of security professionals consider security a top priority at their company. Meanwhile, just 33 per cent of employees say the same.

Given that 44 per cent of people think an email is safe when it contains familiar branding, one in three people took a risky action (such as clicking on a link or downloading malware) when faced with an attack, and that there has been a76 per cent increase in direct financial loss from successful phishing, email is clearly a challenge that is keeping security professionals up at night.

Email is an essential communication tool in the modern workplace, so no matter how much stress it causes it can’t be avoided, but it also represents a significant risk to organisations. Email security breaches can cause financial losses, reputational damage, and legal liabilities. In extreme cases, it can be a business-ending event.

The Cost of Email Security Breaches
Email security breaches can come with a hefty price tag for organizations. According to IBM’s 2022 Cost of a Data Breach Report, the average cost of a data breach is a record $4.35 million million. Email-related incidents are the top cause of data breaches, accounting for 23 per cent of all incidents. These breaches can be caused by a variety of factors, including phishing attacks, malware, insider threats, and human error.

However, where other forms of security breach – network breaches and the like, typically come from attacks from outside, with email, the biggest challenge is the people within the organisation. The majority of successful breaches via email happen because, whether by accident or on purpose as an inside threat, an individual within the organisation clicks on a phishing link, downloads a malicious attachment, or sends confidential and private information to someone who shouldn’t have had access to that information.

Best practice guidance will always talk about how important it is to train employees on an ongoing basis. Just as those in the office that are trained in first air or fire safety regularly need to refresh their skills, so too does everyone in the organisation need training on how to identify suspicious emails and how to be secure in sending information out of the organisation.

However, that’s only part of the solution. It only takes one mistake to render all that education meaningless. Organisations also need to invest in maintaining email security technologies.

Technologies to limit email security risk
You want to start with email filtering. A good email filtering system will leverage content analysis and machine learning to enhance spam detection and reputation-based filtering to identify and block malicious emails or unsolicited emails that violate company policy.

The AI component is critical here. One of the most common concerns that I hear from the IT leaders that I speak to is the role that tools like ChatGPT will have on email security. It’s becoming easier than ever for cybercriminals to use AI to generate code and content that makes it more efficient and effective for them to deliver attacks.

Similarly, as noted by CrowdStrike in its 2023 Global Threat Report, There has been massive increase in Ransomware-as-a-Service, allowing cybercriminals to automate attacks as easily as legitimate businesses might send out eDMs. “After some of the biggest and most notorious ransomware enterprise shutdowns, ransomware affiliates moved to new ransomware-as-a-service (RaaS) operations,” the CrowdStrike report notes. “Additionally, more than 2,500 advertisements for access were identified across the criminal underground, representing a 112 per cent increase compared to 2021 and demonstrating a clear demand for access broker services.”

The only counter to both RaaS and AI-driven cyber crime is to leverage best-of-breed AI in defence, as it is the only way to respond quickly enough as new threats come online.

Encryption is another essential technology for protecting sensitive information in transit. Encryption scrambles the content of an email so that only authorised parties with a decryption key can read it. There are two types of encryption: symmetric and asymmetric encryption. Symmetric encryption uses a single key to encrypt and decrypt messages, while asymmetric encryption uses both a private and public key.

Another technology that can help prevent email security breaches is two-factor authentication (2FA). 2FA adds an extra layer of security by requiring users to provide another form of authentication in addition to their username and password. For example, this could be a code sent to the user’s phone or a biometric identifier, such as a fingerprint.

Be careful of relying on inferior 2FA, however. Many 2FA systems will use an SMS code to a mobile phone. This seems like a secure solution – after all, a mobile number is unique to one person – but it can be surprisingly easy to convince an ISP to transfer a person’s mobile number to another device without their consent. At that point, the cyber criminal can get those critical 2FA codes sent to them instead.

Policy For Email Security
Policies are also crucial for limiting email security risks. An effective email security policy should cover topics such as:
-Acceptable use of email
-Password management and complexity requirements
-Procedures for handling sensitive information
-Reporting security incidents
-Training and awareness programs for employees

The policy should include clear guidelines on what information should not be shared via email, such as usernames, passwords, or financial information. Additionally, the policy should outline procedures for handling sensitive information, such as using encryption and ensuring proper authorisation before sharing any data.

It’s also a good idea to develop a security policy in collaboration with your security technology provider. That way the policies can be more seamlessly built into and enforced by the technology rollout.

Email security breaches can be costly for organisations, and as a major area of risk, it is a stressful concern for security leaders. On the flip side of the coin, email is an essential tool. You’ll never be able to reduce the risk of email to zero, but there are things, across both technology and policy, that can significantly help to reduce the risks being faced.