If there’s one thing that I’ve learned about American culture since moving to the U.S., it’s that the kickoff to the pro and college football seasons is what truly designates the start of the Fall season. It’s also the end of a decade. And for the email security industry, it’s been quite an eventful 10 years - to say the least.
Last year we wrote in depth about the evolution of email phishing attacks and how technology has improved to keep pace. It’s crazy to think about how just 8 years ago, spam filters and anti-virus were the primary email security protections. And when attackers figured out how to outsmart such tools, secure email gateways (SEGs) hit the market, and to this day, remain the most common phishing prevention tool.
Attackers continue to evolve their phishing techniques to bypass enterprise anti-phishing defenses. A few years ago, we were introduced to the business email compromise (BEC) and impersonation attacks mimicking everyone from a Fortune 500 CEO to a random colleague down the hall. In 2018, cybercriminals secured over $300 million per month from BEC attacks.
Lately, account takeover, SMS-text phishing and cloud-to-cloud phishing attacks have been everywhere in the news. And like clockwork, government and enterprise will soon respond, while the millions of small and mid-sized businesses that do not have the time, money and expertise to implement email security will fall behind.
The great enterprise email security debate
The email security industry, as a whole, is in the midst of intense debate over what technology, standards and protocols can deliver the most protections and reduce the most risk. The proliferating arguments are a bit ironic when considering that successful cyberattacks continue to cost enterprises over $1 million per incident.
For those of us in the industry, the most common arguments we hear are:
· Robust email security requires two-factor authentication
· Adoption & maintenance of protocols like DMARC are essential
· Phishing awareness training should be mandatory for all organizations
· Encrypt all email messages
· Incident response requires automation (We totally agree with this one)
While none of these trending arguments is wrong per se, they are all too narrowly focused on solving small components of a bigger problem. The reality is - and this has been IRONSCALES’ philosophy since day 1 - that email phishing is a complex challenge that requires a complex solution of humans and machines working together . That’s why 90% of all cyberattacks continue to begin with email phishing attacks - the tactic just works.
The harsh reality is that despite improvements, the enterprise is currently losing the email security battle to phishers, in large part due to the siloed and subjective conversations that fail to address the big picture. So, as we approach the end of 2019 and the beginning of a new year, there’s no end to email phishing epidemic in sight, what exactly should a comprehensive email security solution include? Here are the 7 essentials:
ADVANCED MALWARE & PHISHING URL/LINK PROTECTIONTo continuously inspect all inbound links and attachments by using computer vision to detect in real-time visual deviations and determine whether or not a login page is legitimate, automatically blocking access to verified malicious URLs.
MAILBOX-LEVEL THREAT DETECTION -To work in conjunction with advanced detections to identify sender impersonations, spoofing and business email compromise (BEC) that bypass gateway security tools.
HUMAN CENTRIC PHISHING DETECTION -Technical detection alone is not enough, as email phishing is a human and machine problem that requires a human and machine solution.
POST-EMAIL DELIVERY RESPONSE -Since time from attack discovery to response is of the essence, any email security technology must provide end users with automated incident response and remediation across all affected mailboxes.
DECENTRALIZED ACTIONABLE CROWD SOURCED INTELLIGENCE -To share information within a platform that is actionable through automation, empowers organizations to proactively prepare for trending email phishing attacks.
CLOSED FEEDBACK LOOP -Orchestrating threat intelligence from technical and non-technical controls into a continuous feedback loop is critical in preventing phishing emails from going undetected due to lack of communication between controls.
ONE PLATFORM, SEAMLESS DEPLOYMENT and INTEGRATION -Combining all of the essential functionalities to combat modern email threats into one single platform that can easily integrate or replace your existing email security stack, while keeping deployment seamless, scalable and the total cost of ownership low is a major benefit to security teams.
It’s hard to say what this list of essentials will look like a few years from now. It depends on how attackers continue to evolve their phishing techniques. There is some evidence to suggest that SMS, cryptocurrency and social media phishing are primed to increase in frequency, which might suggest a downturn in traditional email phishing is near. Not likely, but a small possibility.
As your organization begins preparations for 2020, the most important email security question to ask is whether or not the company’s existing technologies, processes and procedures address the entire phishing picture, or just pieces of the puzzle.