Developing a Healthy Distrust for Email in the Workplace

A half-century has passed since the first electronic messages were sent via connected ARPANET computers. It was roughly a decade later than we began calling these transmissions “email.” In the decades since, email has become such a ubiquitous part of everyday life – shaping how we communicate, do business, shop, market products, pay bills, find jobs, and so much more – that we tend to overlook how vulnerable it leaves us.

Passwords authorize email account access but are easily compromised. Server-to-server delivery provides multiple points of weakness. Phishing attacks are becoming more sophisticated (and users, more complacent). End-to-end encryption is never guaranteed. Even after delivery, malware on the receiving device can expose email to prying eyes.

For businesses, the stakes are especially high. Any loss or compromise of proprietary information threatens brand and business integrity. Of particular concern are business email compromise (BEC) attacks, which are becoming more frequent and more costly. Sophisticated scams meant to divert electronic fund transfers, BECs have been discovered in 177 countries and involved billions of dollars.

And so, though email is affordable, convenient, and universally used, it is also a common and lucrative target for cybercriminals.

 

Why Attackers Love Email

According to Gartner, there are five primary reasons email makes such an attractive target:

  1. Inexpensive: Attackers can easily and cheaply send mass email messages. Manual attacks are just as cheap thanks to free email services.

  2. Usable for most attack types: Email lends itself well to both untargeted distribution (e.g., spam) and targeted attacks.

  3. Elusive: The ease by which anyone can register domains, together with an abundance of techniques to evade detection, means email helps keep attack origins elusive.

  4. Vulnerable: Inherent weaknesses in protocols and email technology are easily exploited.

  5. User trust: Because email is used so frequently by both consumers and businesses, many users have developed an “abundant trust” in it, rarely questioning senders, message content, or even attachments. The volume of email the average user receives exacerbates the issue; it’s simply too high for users to check and report issues regularly.

Over time, email security has strengthened, and continues to improve. Most cloud-based email services offer built-in security features, making them an attractive option for businesses. But basic measures like secure email gateways (SEG) and anti-spam filters are no longer sufficient. Attackers are too savvy, their methods too complex.

Take phishing, for example. Given its sheer scope, phishing remains a persistent, significant threat: there are 10 common types of phishing attacks and 13 different techniques in use today. The success rate for these attacks is high simply because they rely largely on social engineering techniques and will invariably find a naïve human target. The impacts of these attacks have been made more damaging by malware, and more financially devastating by ransomware.

The unfortunate reality is that the perpetrators of email attacks will always develop new and better attack methods. They’re on offense… which means you will always be on defense.

Defensive tools are imperative of course; you must not consider scaling back traditional methods of protection. But as new threats and attack methods emerge, more robust security measures are needed – and these are not always based in technology.

 

People Are the Weakest Link

In its 2020 Data Breach Investigations Report, Verizon found that a significant number of breaches were caused by credential theft, human errors, and social attacks. The common denominator in these attacks? The end users. From multinational enterprises to mom-and-pop shops, people represent one of the greatest vulnerabilities to any organization. And email is an increasingly common way cybercriminals get in.

That is why, as you design your email defense strategy, a crucial element involves shoring up and continually cultivating user awareness – i.e., ensuring users are not only aware of the dangers lurking in their inboxes, but that instead of the abundant trust noted above, they develop a healthy distrust of email content.

 

Building on Email Security Basics

Most organizational email security plans use a combination of password protection, anti-virus measures, and supplemental solutions that address specific needs. Regardless of the specifics, however, a standard email security strategy will address the following:

  • Establishing password standards

  • Authenticating users and senders

  • Filtering out unwanted content and attachments

  • Protecting outgoing messages

  • Managing and maintaining software

Most of these are implemented and enforced programmatically, typically through native security features or add-on software solutions. These are best practices that any organization should consider implementing, but they neglect what may be the most critical aspect of a comprehensive strategy: email security awareness training.

From the top-most executives to the most junior staff, contractors, and guest users should be trained on both your in-house policies (e.g., password requirements, proper use of company email, etc.), but also on the techniques and tools attackers use to breach email security. Familiarity with these methods will help users spot suspicious activity and adjust their own behaviors to lessen organizational risk. They will also be better equipped to respond when they receive an email that appears malicious.

To make these behaviors standard practice – the default setting, if you will – your training should spend time cultivating a culture of distrust for email in general. Teaching and reinforcing the following reminders will go a long way toward establishing that collective mindset:

  • Respect the spam filter – it is usually smarter than you are.

  • Assume unknown senders are bad actors.

  • If it looks suspicious, it probably is.

  • Do not click the link. (Really, don’t do it.)

  • When in doubt, ask the IT security team.

 

The Importance of Layered Email Security

There’s no one perfect formula for email security. Every organization is unique and will have different concerns and priorities. Some defensive tools may be considered non-negotiable by one company and not considered at all by another. Regardless of which policies are enforced and which tactics employed, however, you can enhance them by developing an educated user base, one that will cast a wary eye on all email communications. This additional layer of protection will help form an effective, often first-line defense against even the most sophisticated email threats.

In the end, even the most diligent team may not be enough to thwart a clever attack. That’s where IRONSCALES comes in. Our powerful email security platform helps you defend against threats at your most vulnerable point – your inbox. Contact us to learn more and request a free trial.