What messaging channel has more users than Facebook and WeChat put together, and has been around since 1971?
It’s one of the world’s most significant technological innovations: email. As of 2019 there are around 3.9 billion email users around the world. With steady annual growth of 3% expected, we should have 4.3 billion email users by 2022. That’s far ahead of any social networking platform, and alongside SMS messaging, email is the biggest communications channel worldwide.
This scale has resulted in new risks to businesses’ security. Organizations control unprecedented amounts of data: as of 2019, it’s thought that more data now sits within enterprise environments than on all consumer endpoints (or individual devices).
That data presents a tempting target for malicious attackers who can sell and steal personal information or coerce employees into wiring money outside their organization. So what can security leaders and employees do to stop/reduce the tide of email threats threatening organizations’ money and data?
Email’s global scale means that it has created immeasurable value for businesses. But this has been accompanied by concurrent risks to people, systems and data. Virtually all the pieces of a traditional security toolkit – password protection, spam filtering, anti-virus tools – reflect the inherent danger of email communications.
Although email is one of the most influential communication mediums for billions of people today, it’s worth remembering that it started as an intra-organization chat tool. In 1969, ARPANET, a US Department of Defense network and the forerunner of the modern internet, hosted the first electronic message sent between two different computers.
This genesis shows the intimacy and openness of email – still a blessing and a curse today. Despite being “incubated” within a secretive government research unit, email is now uniquely open. This decentralised structure has taken the friction out of global commerce, and is vital to individuals and businesses alike. But there’s a tension here. An open network is a risky network.
Decades after the first emails were sent, we’re seeing more and more sophisticated threats affecting organizations, from both inbound and outbound email activity. In this piece we’ll cover the basics of how email works, as well as describing some of the ways enterprises can be put at risk thanks to security failures.
Email 101: How does email work?
Put simply, email operates by way of servers speaking with each other. The framework that governs these communications is called Simple Mail Transfer Protocol (SMTP). SMTP is the protocol, which governs how servers send and receive packets of email data. The server sending an email will “push” the email to a receiving server.
There are three key component parts of each email, all of which are to some extent based on traditional, physical mail.
The envelope is the initial information pushed by the server sending an email to the receiving server. It simply indicates the email’s sender and recipient, as well as some validating commands exchanged between the sending and receiving servers. Email users can’t see the envelope, since it is part of the internal routing process for emails.
The email header, which is transmitted alongside the body of the email, contains metadata such as the time the email was sent, which servers sent and received the data, and so on. Email clients (such as Outlook, Gmail etc) hide header information from recipients.
The body of an email is simply the content that a recipient sees and interacts with.
The envelope, the header and the body are all potential weak spots in organizations’ security perimeters. It is not difficult for an attacker in control of their own email server to spoof details of an email’s header, for instance, or to target an employee with a convincing impersonation of a trusted colleague or partner. (See other Tessian blogs for examples of display name and domain impersonation, which are regularly used to target enterprises and their employees in spear phishing campaigns.)
So which parts of today’s email security stack pose potential risks to people and companies?
Shortcomings of traditional email security tools
Secure Email Gateways: Secure Email Gateways – also known as SEGs or Email Security Gateways – have been deployed by organizations for decades. SEGs offer an all-in-one solution that blocks spam, phishing and some malware from reaching employees’ inboxes. They might use email encryption to make communications harder to intercept. As with DLP tools (see below), SEGs operate by way of extensive lists of rules that only defend against threats the system or organization has seen before.
DLP: Essentially, Data Loss Prevention (DLP) software ensures that organizations don’t leak sensitive data. DLP software monitors different entry and exit points within a corporate network, such as user devices, email clients, servers and/or gateways within the network. Like SEGs, DLP tools are invariably rule-based, limiting the range of new and evolving threats DLP products can defend against.
SPF / DKIM / DMARC: SPF, DKIM and DMARC are email authentication records that, in short, help protect organizations against attackers spoofing their domains. Although they can help stop spoofing attempts, the effectiveness of these protocols is limited by their lack of adoption. The vast majority of organizations around the world have not yet implemented DMARC, which means attackers can easily target vulnerable companies and spoof their domains. (For more information, head to Tessian’s blog on DMARC.)
The traditional technological armory used by enterprises hasn’t changed much in years. So how can employees and security professionals make sure organizations are well-equipped to defend against email attacks?
Best practices for email security
It’s vital that employees and organizations alike maintain strong email security. Although most traditional enterprise security products put up reasonably good defenses against the vast majority of spam and “bulk” phishing attacks, more advanced spear phishing emails and Business Email Compromise scams still evade defenses. What’s more, they still don’t prevent accidental data loss or deliberate exfiltration via email. Here are a few key strategies virtually all organizations can employ to get the basics right and defend against cyber threats on email.
Even when organizations and attackers are in a cybersecurity arms race, the basics of good security still apply. (To see how Tessian is helping Arm with the basics of email security, read the case study.) Email accounts need strong passwords: a good guideline is that if you can remember your password, it isn’t strong enough. If your organization uses a password management tool like Lastpass or 1Password, make sure all passwords are stored on that system.
Manage sensitive information carefully
Organizations control all kinds of sensitive data, and the popularity of newly flexible working habits means that security leaders need to be especially vigilant as to how data moves inside and outside organizations’ networks. Sensitive customer or employee information should never be sent to non-business email addresses, for instance, whether through carelessness or malicious intent.
Leverage technology to train employees
Training and awareness is regularly talked up among cybersecurity practitioners. The problem is that taking employees away from their day-to-day duties and delivering context-free workshops on cybersecurity will rarely result in better vigilance and lasting threat protection. It’s important to invest in technology that can deliver in-situ, contextual training, allowing employees to learn from activity taking place in their own inboxes.
Invest in machine learning to outsmart bad actors
Today, too many email security products operate with complex lists of rules that govern which email threats can be detected. In addition, a lack of more intelligent offerings has led organizations to adopt security products that focus on protecting networks and individual devices, rather than the single most influential ingredient in any company’s security performance: its employees.
At Tessian, we think security software should be people-oriented. When machines protect other machines, user experience learn from email activity and refine its performance over time. Machine learning offers organizations the opportunity to make their email protection more intelligent and better able to deal with evolving, unpredictable threats.
Email has come a long way from those first ARPANET messages. But there’s still further to go. At Tessian, we’re building Human Layer Security for Email: our platform understands people’s behavior and prevents advanced threats in real time. We secure hundreds of thousands of employees at some of the world’s leading enterprises. To understand whether now is the right time for your organization to invest in a better email security solution, speak to one of our experts today.