Aug 24, 2020
Think of email as a chink in your armor, a gap in the protective layers of IT security you've carefully developed with the help of in-house or consultation services.
Nearly every organization these days functions online. They meet online. They manage projects online. They communicate online — often through third-party services, often independently, and often via email.
Email is a Prevalent Access Point for Security Threats.
In fact, according to a 2018 investigative report from Verizon, email was the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). The motives behind the attacks vary, stemming from financial, espionage, fun, ideology, convenience, grudges, or other reasons.
What are the issues that can arise from a lack of email security?
Spam, scams, impersonation, blackmail, conversation hijacking, account takeover, insider threats, business disruption, ransomware, and more.
Data for Email Security Shows the Need
The State of Email Security 2020 report from mimecast included insights from 1025 IT decision makers from the US, UK, Germany, Netherlands, Australia, South Africa, UAE, and Saudi Arabia, alongside their own data screening 1 billion emails every day. Per the findings over the previous 12 months:
- 85 percent believe their organization's volume of web or email spoofing will remain the same or increase in the coming year
- 60 percent of respondents' organizations were subject to an attack that originated and spread from one infected user to their coworkers
- 51 percent were impacted by ransomware
- 55 percent do not frequently provide awareness training
- 58 percent reported an increase in phishing attacks
- 31 percent experienced data loss due to lack of cyber resilience preparedness
- 60 percent had an increase in impersonation fraud in the last year
- 82 percent suffered downtime due to an attack
- 60 percent of organizations believe it's inevitable or likely they'll suffer from an email-borne attack in the coming year
The nature of the tactics are only becoming more robust, sophisticated, and precise.
"Analysts from the Mimecast Threat Center assess factors like seasonality, or a change in threat actors’ tactics, accounts for the minor fluctuations in impersonation, year on year. What remains the same, however, is the use of pattern-of-life analysis to track social media sites, such as LinkedIn, to target individuals within organizations who may have access to executives and financial systems.
Emails Are Susceptible to Manipulation
"When it comes to phishing more generally, 72% of respondents stated it remained flat or increased in the last 12 months at their organizations, a jump from 69% in 2019. And, it’s potentially becoming more difficult to stop or prevent due to more advanced tactics like spear phishing, which increase the cyber threat actors’ probability of success, up to 75%," according to the report.
Spear phishing consistently recurs in reports on data breaches as they relate to email security, and for good reason. As mentioned, it includes pattern-of-life analysis. Spear phishing is a more advanced version of phishing where hidden threats aren't just outright asking for personal information, they're tracking behavior, logging information, and accessing a wealth of data to determine the most valuable target of an attack.
They lull the target into a false sense of security with a personalized profile of information. A simple email arrives that appears to be something from a coworker, friend, or family member. They'll reference information that's bizarrely specific. It's not uncommon. In fact, according to an article from Mark Gorrie, Senior Director and Security Expert at Norton, 91 percent of all phishing in the United States today is spear phishing.
Other times, it's less sinister, like sending an email to the wrong person.
How Email Security Help Prevent Threats
Email security also prevents malicious threats like ransomware, which typically includes three steps after gaining access to data: encrypting it, gaining payment, and then decrypting the data.
Business email compromise (BEC) "...continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 115 countries," according to the FBI.
From October 2013 to May 2018 ...
The total losses from BEC: $12,536,948,299
The total incidents from BEC: 78,617
The need for email security is growing as the world becomes more digital and malicious threats become more advanced. Each person that has an email provides an opportunity that welcomes a potential data breach.