In the third installment of this four-part blog series, we address the importance of well-trained employees. (To start at the beginning of the series, click here. To download the entire series, check out our “Future of Email Security in the Cloud” white paper.) The best defense against malicious threats to your business is imbedded in the combination of well-trained employees and a decent email protection platform. We’ve written about the increasingly complex threats facing businesses, now we’ll cover why arming your employees with the information they need to make better–informed decisions is the best way to address emerging threats.
As email-borne threats grew in prevalence, distrust in users’ ability to discern harmful emails skyrocketed. Many organizations developed a culture of fear, uncertainty, and doubt, blaming users that fell for phishing scams and other socially engineered attacks. Users were labeled as complacent and the perpetual “weakest link.” Security leaders and compliance officers called for company-wide training and awareness to help educate users as well as top-down buy-in and support to enforce policies.
Properly Training Your Employees
Security training and awareness is a multibillion-dollar industry. LinkedIn’s Cybersecurity Trends Report indicates that 27% of organizations have prioritized security training and awareness in their 2018 budget. Yet despite the increasing spend, the efficacy of security training and awareness programs is still lacking.
A recent phishing campaign turned the typical scam on its head and preyed on users’ fear of being the victim of a security breach. First reported by Bryan Krebs, the Sextortion scam targeted users directly as a hacker claimed to have compromised an account with malware and demanded a bitcoin payment in return for secrecy. Although the scam was consumer-focused, Krebs warned that this was just the beginning, noting the possibility of future bad actors to leverage a fresh password breach – perhaps one that the breached company wasn’t even aware of yet.
SEGs Can’t Analyze Intra-Domain Email
In the last decade, enterprise technology has evolved to meet demands for performance and scale. Organizations of all sizes are embracing modern technology such as cloud and software-as-a-service platforms. They offer a host of benefits, including cost optimization, reduced maintenance and improved reliability and efficiency. Cloud technology enables companies to rapidly spin up new infrastructure with little time and resources. All signs point to cloud technology as the future of digital business and a clear competitive advantage.
With features including email, chat, document sharing, and more, cloud-based offerings like Office 365 and G Suite enable collaboration and communication to anywhere, from anywhere, which is driving massive enterprise adoption. Computerworld reported in July 2018 that 4 million businesses have now subscribed to G Suite–up by 1 million from the previous year. And this is just a fraction of the total number of businesses that have embraced cloud-based solutions. An April 2018 brief reported that Office 365 Commercial had more than 135 million active users – a significant piece of Microsoft’s 90% market share.
While this migration to an open, collaborative, and self-service-driven infrastructure has fundamentally increased business’ ability to quickly react to market demands and remain agile in a competitive marketplace, it has created significant challenges for the security community. Often accused of being a blocker, security teams are now tasked with a seemingly impossible challenge – secure an increasingly borderless organization without impeding business operations and velocity.
Because digital business remains in a constant state of change – with new technology, workflows and threats emerging every day – infrastructure must be ultra-agile, scalable and responsive, and protection solutions must be adaptive to support this. Gartner listed this movement to a model of continuous adaptive risk and trust (CARTA) as a top ten trend for 2018.
The disparity between the binary, perimeter-focused method and the dynamic, user-focused attributes of cloud-native email solutions is creating a growing threat gap for the modern enterprise. The fact that cloud email providers, Microsoft and Google, themselves rely on such outdated detection and protection methods demonstrates how engrained this mindset is within the email security community. As a result, socially engineered attacks are slipping through this gap and costing organizations millions of dollars.
Impersonation emails are the most common type of threat to penetrate this gap. Various forms of sender and URL spoofing allow BEC and other socially engineered email threats to evade secure email gateways (SEGs). GreatHorn’s 2018 survey shows that despite current email security measures–15.8% of security professionals (or business users) see email threats (impersonations, wire transfer requests, W2 requests, payload attacks/malware, business services spoofing, or credential theft) on a daily basis. An additional 24.2% see threats weekly and a total of 40% see email threats at least weekly. Overall, nearly half of all respondents actively see impersonations bypass existing email security solutions.
Constantly Changing Infrastructure Demands Adaptive Protection
Because SEGs rely heavily on binary evaluation (good or bad), even emails with malicious attachments can slip through if the malware is not a known threat. GreatHorn research indicates that more than 33% of security professionals see payload attacks bypass their SEGs. The result is that between both payload-based and payload-free (i.e. phishing) attacks, 40% of security professionals have to take significant remediation action (suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on at least a monthly basis, and half of respondents do so weekly.
Finally, the SEG’s inherent gatekeeper approach makes it impossible to identify internal email threats. This is a key factor in why Business Email Compromise (BEC) attempts are so successful. Spoofed sender names look like corporate emails, and since so many organizations don’t have authentication set up properly, such emails are often allowed to bypass gateways. Additionally, compromised accounts can be used in an account takeover fashion to launch internal attacks on other employees. Since most SEGs can’t analyze intra-domain email, such attacks have particularly high success rates as they come from a trusted sender. Primarily targeting Office 365 users, chain phishing campaigns harvest account credentials, then use compromised accounts to amplify phishing attempts to other internal and external users. Because credentials provide access to the entire Office suite –including chat functions – the attack surface is expanded. This threat pattern also increases the chance that the attacker will be able to secure cloud credentials, opening up the potential for corporate sabotage, intellectual property theft, exposure of customer and employee data.
Adaptive Email Protection
There is an assumption that security is ingrained in the fabric of the cloud along with a consistent cycle of evaluation and remediation. Consider how many cloud-based SaaS applications dynamically prompt for two-factor authentication after recognizing the user is attempting access from an unknown device. This context-based change is triggered automatically, and users have come to expect this behavior as an additional layer of protection with cloud-based applications.
As email evolves, so do threats. There will always be a new threat looming just a click away—fortunately, adaptive email protection is continuously learning. Stay tuned for our final blog post in this series. We’ll dive deeper into what adaptive email protection is and how this system will help you stay protected. To read the entire series prior to posting, please download our companion whitepaper.