According to our HIPAA Breach Reports, email is the top threat vector in healthcare. But that stat holds true across all industries according to Verizon’s 2019 Data Breach Investigations Report.
This is easy to see for any IT security professional, with favorite cyberattacks like malware being delivered via email 94% of the time. If that’s not bad enough, bad actors are constantly modifying and changing attacks faster than most detection systems can keep up with.
The numbers can be overwhelming, but your organization has a fighting chance if you have the right email security strategy in place to ward off threats to your inbox.
In this guide we’ll cover:
- What is email security
- Why you need an effective email security strategy
- The top-3 most common attacks
- Email security best practices
What is email security?
Many people think email security is nothing more than spam filtering. But as attacks have evolved, your strategies should move beyond anti-spam filters too.
The current approach is more complex compared to what it was a couple of decades ago. It does include spam filtering, but also encompasses other measures for securing access to an account and email content, including predictive analysis of incoming emails and preventing interception of email messages by unauthorized parties during transit.
In this guide, we’ll focus on email security against inbound threats. Other secure email strategies like email encryption and data loss prevention (DLP) are discussed in detail in other posts.
Why do you need an effective email security strategy?
At almost 50 years old, email is often regarded as an outdated form of digital communication.
The “next big thing” like messaging, group chatting, and video calling are all celebrated as email replacements as the preferred means for contact and collaboration.
However, email communications has yet to be dethroned and remains a valuable tool because of its ubiquity.
Practically anyone who has access to the internet has an email address – you can’t sign up for most apps without one.
Unlike messaging platforms, email can be sent to anyone, which is vitally important for business communication where you can’t guarantee or force parties to be on the same platform and still make communication easy and painless.
Organizations across various industries rely on business email as their primary means of reaching out to employees, customers, and other stakeholders. Old-fashioned as it is, email has 3.8 billion users, or half of the world population.
Cybersecurity threats can spread through other channels, but hackers know they can get more victims if they go through email. It’s the reason why email is the top threat vector even in 2019.
But gone are the days when annoying junk mail was the primary issue with your inbox.
Though it still gets its fair share of victims, messages from Nigerian princes offering you millions of dollars if you share your bank details are basic.
Now, you have to watch out for threats that are hard to spot and harder to eradicate.
The global average cost of a data breach is $3.86 million.
Messages look authentic, and without additional verification, their fraudulent nature is easy to miss.
Once they start wreaking havoc, it can be challenging to mitigate the damage because attacks usually evolve faster than patches can be made. The result of such an oversight is often a data breach.
According to IBM’s Cost of a Data Breach Study, the global average cost of a data breach is $3.86 million.
That’s a huge cost for any organization, but especially for small- and medium-sized businesses (SMBs). But since it’s just the average, the figure can go as high as hundreds of millions.
For their 2015 data breach that compromised the personal health information (PHI) of almost 79 million people, health insurance provider Anthem was legally obligated by a federal court to pay a class action settlement of $115 million, the largest one to date for a HIPAA violation.
And that data breach started from a spear-phishing email sent to a few Anthem employees.
The financial loss alone is significant, but a data breach also causes another loss money can’t buy – reputation.
Organizations spend years to build a good name, but one data breach can ruin it. It’s difficult to regain stakeholders’ trust after it has been broken. Not all organizations can withstand the fallout.
An effective email security strategy is important to be proactive, not reactive. The goal being simply to prevent attacks before they can cause costly harm.
What are the most common email threats?
Before you can win, you need to know what you’re up against.
Disguised as legitimate messages from reputable entities such as financial institutions, government agencies, or major retailers, phishing emails ask recipients to send confidential information or open an attachment containing malware.
The recipients, not realizing they are being duped, do what is requested without second thought.
They have the same structure and intent as the regular kind, but spear-phishing emails are more targeted.
They’re not sent out the masses; rather, they’re delivered to a specific group or person to whom the messages are relevant.
For example, the emails can be made to look as if they’re sent out to customers of a bank or employees of a company, like what happened with Anthem. Because of the level of personalization involved, they’re more difficult to detect.
Display name spoofing
Another form of trickery is display name spoofing which involves changing the sender’s display name so that the email seems to come from a trusted source.
Cyber criminals count on the fact that many people check the display name and don’t bother verifying the email address when they get a message. Sometimes, the email address is also spoofed, adding another layer to the scam.
A subset of malware, ransomware takes over a system (or a device in some cases), and access to it is blocked unless you pay the demanded amount via bitcoin or other untraceable methods.
Most payloads are delivered via an email attachment or link.
These ransomware attacks have become more high profile of late and represent a growing concern for every organization, even municipalities.
As mentioned, the goal of these email attacks is to get people to hand over sensitive data or make them download malware to their computers. Hackers use their access to sensitive information for nefarious purposes – selling it on the dark web’s black market, using it for identity theft, holding it for ransom, or using it to access financial accounts.
Email security best practices
Thankfully, it’s not all doom and gloom. There are very real steps any organization can take to greatly improve their email protection against threats.
Build your wall and gateway
Automated processes are more secure and less prone to errors. Use technology to your advantage to prevent the vast majority of threats from reaching end-users.
But you can do better than simple antivirus software, there are email security solutions like Paubox that can analyze incoming emails for known threats and filter them accordingly. The best solutions have advanced threat detection features like Paubox’s ExecProtect which can identify display name spoofing emails and stop them from reaching users’ inboxes altogether.
They can work in tandem with, and enhance, your existing business email platform like Microsoft Office 365 and Google G Suite.
Validate your email
Email authentication proves that a message your organization sent out did come from your organization. This process decreases spoofing and phishing attempts, thus preventing attacks and protecting your brand. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) are the three forms of email authentication.
Inbound threat protection would be simpler if every organization adopted these standards, making legitimate emails easier to recognize.
Train your staff
Unfortunately, not all junk mail ends up in the spam folder or quarantine, because no software is perfect and bad actors are coming up with new variations every minute.
This means a few questionable emails may still get through from time to time, so employees should know how to assess messages through simple steps such as hovering over links in messages to verify the destination URLs before clicking, or refraining from opening email attachments from unvetted sources.
Training isn’t just a one-time item to check-off at new hire orientation either. Regular training, reminders, and even internal phishing campaigns have all proven to help in keeping employees vigilant for threats and falling victim to The Overconfidence Dilemma.
Be ready to react
Though an effective email security strategy should be preventive, you have to be ready to spring into action in case of a successful attack. Your organization’s response will depend on the nature of the attack, but speed is critical for security teams. This can range from isolating affected systems and containing the situation, to notifying customers and assessing the damage.
People won’t stop using email anytime soon. It has been around for almost 50 years and shows no sign of being phased out anytime soon.
That means bad actors will continue to wage war on your inbox, so it’s best to invest in building a robust email security strategy to protect your organization.
How Paubox can help
Paubox Inbound Security helps prevent email threats before they hit the inbox with robust spam filtering and email security against ransomware, malware, and phishing attacks.
This includes real-time advanced threat protection features like Paubox’s patent-pending ExecProtect, which immediately identifies and quarantines display name spoofing attacks, never letting them get to the inbox.