This is the first post of a four-part series. We’ll reexamine our assumptions about email threats, how we combat them, and our key areas of vulnerability. In particular, this series will take on the secure email gateway as the de facto answer to email threats, discuss why it has been so ineffective in tackling the phishing problem, and explore an alternate approach to protecting against them. To read the entire series prior to posting, download our companion white paper.
In this post we provide an overview of the cloud email security environment, including an in-depth, historical look at what has become simultaneously the easiest and most dangerous threat to any organization—phishing. We explore the hallmark tactics imbedded in phishing schemes and evaluate how they interact with secure email gateways.
Email Isn’t Going Anywhere
To start, email remains the most widely used communication method for businesses. Studies estimate that nearly 125 billion business emails are sent each day—a three percent year-over-year growth since 2015. Yet, email is by far the most common threat vector for social-based attacks at 96 percent, with motivations ranging from financial gain to credential theft to espionage.
Technology writer Chris Nerney explained why email still reigns as a primary method of professional communication in a July 2018 blog: “Email is highly functional. Anyone with an email account can send an email to anyone else with an email address, no matter which client they use. In the business world, there’s a lot of value to that, and it’s probably the main reason why messaging apps, social media and collaboration platforms haven’t yet rendered email obsolete.”
In a 2018 survey of IT professionals, GreatHorn determined that the average organization has three security products in place to combat email threats; however, 40 percent see email threats bypass these security solutions and be delivered into inboxes on a weekly basis –yikes. Despite email’s tenure and prevalence, few organizations have email security threats under control – even with great manpower and tool investment.
The Traditional Approach to Email Security is Failing
A LinkedIn survey of more than 1,900 security professionals indicated that email security is a top priority for more than half of organizations. Threats are consistently becoming more sophisticated and slipping past traditional security measures, while the changing technology landscape creates new security demands. As more organizations embrace modern IT infrastructure, they seek to tackle the challenge with solutions that are just as dynamic as their cloud-based email systems.
Evolution of Threats
When electronic communications first rose to prevalence in the late 1980s and early 1990s, IT infrastructure looked very different than it does today. Technology was more tangible, and email security efforts were focused on encryption to ensure privacy versus the identification and remediation of threats. It wasn’t long before the Nigerian prince arrived on the scene. Fraudsters learned to manipulate electronic communication to proliferate this centuries-old scam, among others. The burgeoning increase of personal computer use in the late 1990s, along with the adoption of email as an efficient form of communication and file sharing for businesses, elevated email as a top threat vector.
Email threats quickly evolved from innocuous spam and fraud attempts to include malicious attachments harboring payloads of malware that could cripple an enterprise, and organizations turned to secure email gateways as the new standard for protection. Like a firewall for email, these gateways identified threats at a single point of vulnerability—the entry point—and relied on known variables that assumed successful identification.
As detection capabilities improved and payload-based threats were more easily recognized and thwarted, malicious actors sought new ways to compromise business via email. In the late 1990s, they found that by impersonating businesses and individuals, they could lure unsuspecting victims to click on links and readily hand over credentials or financial data. And so began the era of phishing, and with it, the email security landscape changed forever.
Next-Generation Threats Plague the Enterprise
Phishing attempts have grown to be one of the greatest threats to the enterprise. A LinkedIn survey of more than 1,900 security professionals reported phishing attempts as the greatest security concern. And rightfully so, as Verizon reports that 13 percent of all breaches start with a phishing attack and an astounding 70 percent of breaches associated with nation-state or state-affiliated actors involved phishing.
A 2017 study by Google and UC Berkeley asserted that phishing posed a greater threat than data breaches because of the accuracy of data gleaned. Results showed only 7 percent of passwords exposed by a data breach were still in use, compared to 25 percent stolen through phishing or key-logging.
Threats Are Becoming More Believable
A deep dive into each type of attack is not warranted due to the copious amounts of information already available. However, there are a few hallmark characteristics of these attacks worth noting as they add to the believability of these attacks and increase their success rates.
- Social engineering: an act in which phishers leverage manipulation tactics to prey on individuals to collect confidential information.
- Impersonation: a tactic in which attackers gather publicly available information, and potentially data from the dark web, to learn about organizations and individuals then leverage this information to impersonate people and/or businesses the intended target trusts.
- Technical simplicity: While sophisticated in nature, very simple in structure. Unlike advanced malware attacks, which require a high level of technical expertise, impersonation attacks can be as simple as a short email from a spoofed email address. The personally tailored content of the email is the focus, and the advent of phishing kits has made these attacks even easier for the less technical.
While attacks are simultaneously becoming more sophisticated and believable in nature, security protection is also advancing to provide better protection for your business. Stay tuned for our next post in this series as we continue to reexamine our assumptions about email threats, how we combat them, and our key areas of vulnerability while also evaluating the ease in which modern day threats penetrate secure email gateways (SEGs). To read the entire series prior to posting, download our companion white paper!