Email security can seem old hat and unglamorous on the surface. After all, email is essentially legacy technology (it predates Ethernet, the World Wide Web and many other major technological breakthroughs) and there are already tons of solutions out there, from automatic attachment scanners to security appliances. However, keeping email safe and secure is arguably more important now than it ever has been.
As a mission-critical application for enterprises everywhere, email is frequently targeted by attacks. An Adobe Systems online survey of 400 white collar workers found that they averaged over 6 hours a day dealing with email. Okta’s list of the 24 most used cloud apps included two email-heavy suites (Google Apps for Work and Office 365) in its top five. The amount of attention given to email has naturally made it central to schemes like social engineering and spear-phishing.
What is the current email threat landscape?
Most email is spam. The Trend Micro Global Spam Map breaks down spam rates by country, and the range is wide, from 41 percent in the U.S. to 84 percent in China (both numbers as of June 2016).
Fortunately, modern email gateways are generally good at screening out generic spam. The problem for many enterprises is not so much staying on top of all of these get-rich-quick solicitations and “Nigerian prince” scams, but in dealing with more subtle yet potent threats that pop into their company inboxes:
- Spear-phishing: Carefully crafted emails, made to look like legitimate communications, are often the first steps in a targeted attack. An attacker might send a message that requests the recipient review an attached PowerPoint deck or Excel sheet. Any action on the attachment could compromise a PC and possibly enlist it in a botnet.
- Business email compromise: This sophisticated scheme involves hijacking business email accounts to facilitate fraudulent wire transfers. The exact techniques used in BEC vary widely from one case to the next, but are costly all the same. The FBI has estimated that BEC affected 7,000 individuals between October 2013 and August 2015, with $750 million in losses.
Moreover, email security has become a major issue in recent months for organizations such as the Democratic National Committee and the Panamanian law firm Mossack Fonseca, both of which have struggled to secure their transmissions from prying eyes. Email is still at the center of millions of enterprise employees’ daily workflows, but keeping it safe is a growing challenge.
Multi-layered email security as a solution
Email security mechanisms have evolved in response to the new wave of threats. Some supplementary measures to basic security measures such as firewalls now include:
- Sender Policy Framework: SPF helps discourage spam and phishing by authenticating the domain of a sender records published in the Domain Name System; basic SMTP does have such authentication capabilities.
- Deep inspection: Detection engines and sandbox simulations of email attachments can discover advanced threats before they compromise your systems.
- URL scanning: It is possible to scan URLS for known spam/malicious domains and to send them through cloud gateways so that their pointers are inspected for potential issues whenever clicked upon.
- Encryption: Following the revelations about worldwide government surveillance in 2013, encryption took center stage in many cyber security discussions. Email encryption is important since email is an inherently unsecured communication medium and messages can fall into the wrong hands.
“Standard security tools like firewalls and antivirus programs remain necessary, but they are not enough to protect private and sensitive data as it travels over the Internet in today’s high-risk climate,” explained a Trend Micro white paper, “Email Privacy 101.” “The people paying most attention to your security gaps are those who want to exploit them. The only way to beat them is to pay more attention yourself. Email encryption does that for you.”
This quartet of tools and others will be essential in the years ahead as email volume continues to grow for enterprises around the globe. The Radicati Group estimated that 109 billion business emails were sent per day in 2014, and projected that this number would rise to more than 139 billion by the end of 2018. With that amount of incoming mail, it will be vital to screen out spam as well as any malicious attachments that could lead to BEC, ransomware or targeted attacks.
Emails remains as important as ever as a business application. Be sure to have secure email gateways in place in addition to anti-malware software and other protective mechanisms.