Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.
Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.
It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.
Be aware of common email threats
Firstly, its critical to understand common email threats. There are a variety of attacks that can occur via email, leading to ransomware, business email compromise (BEC) and other risks. Let’s deep dive further into some of most common types of email attacks:
Phishing: these attacks are attempts to steal money, identity or personal information through a spoof website link that looks legitimate. Phishing emails may direct users to a fake webpage that collects credentials or pressure users to send information to an email address that may look familiar or trustworthy, but is secretly controlled by the attacker.
Malware: there are different types of malware sent over email including spyware, scareware, adware, and ransomware, among others. Attackers can deliver malware via email in several different ways. One of the most common is including an email attachment that contains malicious code.
Account takeover: this is where attackers gain access to email inboxes from legitimate users with their correct login credentials. Once inside criminals may monitor messages, steal information or use the email address to forward malware attacks to their contacts.
Email interception: in this case attackers can intercept emails in order to steal the information they contain, such as usernames, email addresses, password, invoices etc. In other cases criminals will carry out on-path attacks where they collect information and/or impersonate any of the correspondents e.g. to get money transferred to their account instead .
Debunking the barriers to adoption
Legacy email solutions are often expensive and overly complex, making businesses resistant to the expense of implementing greater email security. These legacy email solutions have also become outdated, lack support features and are less compatible with the email systems we use today.
It’s time that the perception that email security is expensive and clunky is debunked. Protecting email systems really doesn’t have to be expensive or complex to integrate. There are providers that offer protection and insight across the entire attack cycle, monitoring activity and enabling users to know exactly what was flagged and the reasons why. Organisations benefit from an easy way to block phishing, malware, BEC and other advanced threats. With the latest email security technology, phishing attempts can be blocked in real-time and attacker campaigns or domains impersonating your brand are proactively hunted for.
Another perception that needs to be overcome is that email security is only needed by large organisations. Cost-effective enterprise-grade security software provides automation that has changed the game for small businesses, allowingthem to protect themselves better while the software does the heavy lifting for them.
Email security solutions and employee training must be implemented to protect individuals and businesses of all sizes from harmful email attacks.
Embracing a Zero Trust approach
Zero Trust is a security framework that requires all users and devices to be authenticated when accessing the corporate network. This may seem like an inconvenience to the user, but what this approach does is secure an organisations entire risk landscape, with purpose-built layers of defence working seamlessly together. It offers a more holistic approach for businesses and their employees to remain secure throughout everything they do.
Too often the assumption is made that if someone or something is within a company’s ‘walls’, they must have been allowed entry, but an attacker can imitate an employee. It’s best not to trust anyone or anything for a safer defence and typically not everyone needs access to everything anyway.
Managing the biggest threat to business
As the complexity and scale of corporate networks continue to grow and new email security threats from cyber attackers persist, it’s crucial that organisations assess their attack surface and adopt the latest barriers of defence. The 2022 Cyberthreat Defence Report revealed that the telecom and technology industry was the second most victimised industry (of the top 7 major industries), with 90.3% of surveyed organisations being compromised by at least one successful attack in the past 12 months. Organisations of all sizes need to take a Zero Trust approach to security and seek out email security solutions as part of that framework that are easy to use and accessible to everyone to proactively stop attackers in their efforts.
Dave Barnett, Head of SASE EMEA at Cloudflare
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.