By Rahul Powar, CEO and co-founder, Red Sift
Times change, technologies continue to evolve, and yet email remains the easiest avenue of attack for cybercriminals looking to hack into your business Need convincing? Well, in 2018 94% of malware attacks were deployed by email, 78% of cyber espionage incidents used phishing, and 32% of all reported breaches involved phishing[1] (let’s not dwell too much on the possible scale of unreported breaches).
Securing email
The truth is that email has been the easiest avenue of attack for at least two decades and, unless there are some fundamental changes in how the problem is addressed at a global level, it will probably remain so for another decade.
In the meantime, businesses continue to look for ways of increasing their level of inbound protection – deploying security products that attempt to block access to infected sites or identify unsavoury email content before it reaches the recipient. These products come in many different shapes and sizes and are then augmented by a ‘human shield’, i.e. the vigilance of the employees to spot phishing scams and fraudulent messages that have outwitted the technology.
The issue with this is that it still takes just one employee – anyone from the new junior executive to the CEO – to take the bait, click on the infected link or download the malicious attachment, and the inbound defences could unravel entirely.
The blame game
Blaming individuals for such errors gets us nowhere. After all, scammers do this for a living – they’re really very good at outwitting people. You might be able to spot a Nigerian Prince phishing scam a mile off, but would you really be able to spot a fake message purporting to be from your finance department that referred to you by name and included other seemingly legitimate details about your workplace?
Blaming the security technology is only slightly less pointless. Yes, some of these products are better/worse than others, but none of them is foolproof. Scammers continue to come up with inventive means of bypassing them, and of course, if a scammer has hijacked a legitimate email domain, it makes it all the more difficult for the technology to spot the fraudulent correspondence.
Ultimately, it boils down to a question of trust. We’re now less inclined to trust the emails we receive and we’re less inclined to trust the technology that is supposed to defend us against the untrustworthy emails.
So what can we do to break free of this downward spiral?
Combining defensive forces
Well, we can start by paying more attention to outbound protection. As an organisation, this means taking on the mantle of assurance – giving every email correspondent a guarantee that you are who you claim to be.
There are good reasons for focusing on outbound protection. If scammers are able to spoof your email domain, your business’s reputation will take a kick in the teeth; if your customers are being inundated by fraudulent messages purporting to come from your business, the open rates for any legitimate messages you send could also fall off a cliff.
Impersonating the hello@itsecurityguru.org doesn’t take a PhD – someone with basic coding skills can impersonate an unprotected domain making the victim believe that the email from hi@itsecurityguru.org is actually legitimate and the good folks at IT Security Guru do indeed want to get to you, albeit a little more personally that you expected. And once that personal data is in the scammer’s hands, there’s nothing you can do to retrieve it.
The other advantage of outbound protection is that, unlike conventional inbound measures, it actually helps restore trust. For example, DMARC is a globally accepted outbound email protocol that protects domains against impersonation by scammers. It enables you to guarantee to the wider world that any email sent from your domain was definitely sent by your organisation. This in turn allows organisations to build up whitelists of verified senders – hence, by adopting DMARC, you benefit from the knowledge that your own emails are far more likely to a) be delivered and b) be trusted.
Inbound versus outbound protection isn’t an either/or discussion. The former is needed to defend against the email threats that are out there; the latter is needed to reduce the overall threat level and start to rebuild trust in email once again. Critically, both are vital in defending organisations’ reputations as we continue to plunder new depths of email apprehension.
[1] Verizon 2019 Data Breach Investigations Report
Leave a Reply