Why Email Security Never Seems to Improve, and What You Can Do About It

After recently publishing my blog Why Cybersecurity Never Seems to Improve, And What You Can Do About It, I thought I would narrow my security lens a bit further onto the topic of email security. Why is it that email remains the primary attack vector for most successful cybercrimes, even though billions of dollars are spent every year to prevent them? At the macro or global level, the problem seems to be getting worse, not better.

What follows is a discussion of the seven key factors that are driving the continued challenge of email security and what we can do about them.

1. There is always some crisis, season, or highly emotional topic that is ripe for cybercriminals’ social engineering. Currently we are living through the COVID global crisis. Just about every individual and business person is interested in the latest virus news, the best place to purchase PPE, or yes, even who has toilet paper in stock. But of course, Christmas, Easter, political campaigns, hurricanes and brushfires, taxes, and many other motivating topics come around many times a year as well. And attackers plan and react to these topics accordingly. In fact, in the weeks after the COVID pandemic was first declared, approximately 10% of the spam and phishing emails blocked by Mimecast were leveraging the virus. Cybercriminals pivot quickly to the best way to grab the attention of their intended victims and to phish their hooks into their targets.
2. Email has everything attackers need. Whether the threat actor is unsophisticated or sophisticated, email is regularly the point of entry into an organization. Why? Email is ubiquitous, with billions of users, global, extremely reliable, relatively anonymous, free, generally trusted by your average person, and technically very flexible. How many other technologies in common use combine the ability to deliver files, links, and customized text, with a look that is infinitely flexible and is completely up to the sender, and that actually is designed to allow domain spoofing?! Is it really a surprise that email is the go-to attack vector? And combining email and the web gives the attacker a massive 1-2 punch.
3. The open internet. Just as I said in the previously mentioned Why Cybersecurity Never Seems to Improve blog, the wide-open internet is both incredibly valuable and incredibly risky; without proper monitoring and layered security controls, anyone can send email as anyone else and can register email and web domains and set up websites that look exactly as the owner decides. Is there any surprise that this is ripe for malicious spoofing and fraud? It takes extra effort to lock down one’s email domains with DMARC and to scour the internet for the various ways one’s online brand is being exploited.
4. Your internet neighbors’ poor security hygiene is your problem. When innocent web bystanders or email services get hacked by cybercriminals, they very often are used to launch attacks against their ultimate targets. Why do the threat actors do this? On the web side, it is much more difficult to defend against malicious pages that are hosted on otherwise high reputation web domains. And don’t forget website DNS entries. If the attacker can get administrative privileges to a legitimate website’s DNS entry it is very easy for the attacker to register a subdomain – badsite.goodsite.com – and direct traffic to a malicious site that leaches off the good reputation of the goodsite.com domain. Similarly, with pwned email accounts, the attacker can use these innocent bystander email services as relays for their phishing campaigns, also leveraging their good reputation.
5. The move to Microsoft 365 (formerly known as Office 365) creates email security disruption. And worse, organizations that are 100% dependent on the built-in anti-phishing services that come with the platform are left highly vulnerable to various forms of phishing. Don’t get me wrong, Microsoft 365 is a great service - 200M+ daily users can’t be wrong! But think like a cybercriminal: once it’s clear you’re running Microsoft 365 (just by checking your MX Record) the cybercriminal can be confident that the attack successfully running on his or her instance of Microsoft 365 will get through your instance of Microsoft 365. Do you use Microsoft to protect Microsoft at the operating system level of your clients and servers? Why not? The same logic applies to email security.
6. Many organizations have old or incomplete email security protections. In the recently released State of Email Security Report it was reported that only 60% of organizations “have some kind of security system to protect their data or employees in internal and outbound emails.” This means that a significant portion of organizations seem only to be attempting to defend against inbound emails, but once the attacker gets into their email system, they are essentially blind to the other two email traffic vectors. One doesn’t want to become the bad internet neighbor that I described in #4 above, but many are.
7. Weak security awareness training programs. Also reported in the State of Email Security Report was the fact that only 1 in 5 organizations conduct security awareness training at least once a month. How do we expect everyday staffers to be both aware and cautious of the latest attack types if they are only informed maybe once or twice a year? And what type of training is it? Boring? Hours of PowerPoint slides? Smashed into other types of compliance training? While the vast majority of organizations conduct some form of security awareness training - which is great - relatively few are doing it right. In fact the results are pretty stark: Mimecast data indicates that customers without Mimecast Awareness Training are 5X more likely to click on malicious links in email than those customers using it.

What Can You Do About It?

The above list and discussion can seem daunting. This is after all why email security and its close cousin, web security, are so challenging for defenders and so useful for cybercriminals. While there is no easy fix or silver bullet solution that can single-handedly solve the security challenges, there are proven best practices, when taken together, can dramatically reduce the risk of security incidents. On the technical controls front, using top-notch email/DMARC, web/web monitoring, network, endpoint, and multi-factor authentication security systems can provide valuable preventive security. Combine these and other technical controls with fit-to-purpose security awareness training and other ways to enhance your security culture and you will have done a lot to nail down two legs of the three-legged security stool.

What is the other leg of the stool? Process. Any important business process that can be disrupted or taken advantage of via a single point of failure, is not sufficiently resilient. So, take a good look at those and do what you can to make them more resilient and thus less susceptible to the actions of cybercriminals.