Year in Review: Email Security in 2017

The headlines were filled with news of various types of big cyber attacks in 2017:

• WannaCry. In early 2017, this crypto ransomware impacted more than 200,000 computer systems at small businesses, multinational corporations, healthcare and educational institutions in 150 countries. Read up on WannaCry.
• Petya. Another ransomware attack, Petya attacked machines running Microsoft Windows and demanded $300 payable in Bitcoin, to re-gain access. It nailed large law firms, advertising firms and other big organizations. Learn more about Petya.
• Equifax breach: About 145.5 million people around the world were affected by the Equifax breach, and Equifax themselves certainly paid the price with stock losses, legal fees and regulatory fines associated with the breach. Equifax stock plummeted 35% after the breach – losing almost $6 billion in market capitalization. And in November, it was hit with a 50-state class-action suit. Get more details.
  Yahoo breach: Though the actual breach occurred in 2013, it only came to light this year, when it was revealed that 3 billion accounts – from email, Flickr, Tumblr and more – were lost. The cybercriminals got away with email addresses, account names and passwords. The “good news”? No financial data was exposed. See more.

Pro Tip: Breaches like these are going to keep happening in 2018, but in 2018 GDPR will be in effect and thus there will be a whole other layer of legal enforcement in effect. Remember, if you do business with any customers in the Europe, GDPR applies to you. Here’s what you need to know.

Ransomware attacks and breaches grabbed most of the headlines, and got the lion’s share of IT personnel’s attention.  But running after newsy breaches isn’t a good way to run your security program

“If your security strategy is significantly influenced by the news, you’re in trouble because you’re focused on what’s grabbing headlines instead of addressing potential risks to your business,” cautions Mimecast email security expert Matthew Gardiner. “It’s useful to read about what’s happening broadly, but you need to understand the events’ relevance to you. IT professionals’ bosses read the news and think it’s important to check the organization’s readiness for this kind of attack. But attacks that make the news are just a few of millions that occurring.  Just because it is in the news doesn’t mean it is a risk for your organization.”

In December 2017 Mimecast published our quarterly ESRA results, and what we learned is that the bigger threat to organizations is missed impersonation attacks, which occurred more than 7 times as much as missed email-borne malware. In fact, impersonation attacks skyrocketed almost 50 percent quarter-over-quarter in our testing results

Anticipating Attacks

“The average organization and the typical email security systems they are using aren’t very effective at protecting against email impersonations,” Gardiner notes. “They’re going to battle with armor that has holes in it.” Learn how to plan for and respond to attacks.

“The rise of email impersonation attacks illustrates that cyber criminals are always moving forward and changing techniques,” Gardiner asserts. “The best defenders are not just reacting, they’re being proactive. You’ve got to think like an attacker and look for vulnerabilities to ultimately improve security to try to be a step ahead.”

For example, Mimecast’s research group regularly looks for weaknesses and gaps in email security. Recently, the team found an exploit that called into question email’s immutability as a messaging system. The exploit shown by Mimecast, dubbed ROPEMAKER, enables a cybercriminal to change an email’s content easily, like editing text or replacing any URL with a malicious one -- without direct access to the user’s inbox. Mimecast recently added a defense against this exploit for its customers, and made other security recommendations to protect email from this threat.

Looking Ahead to 2018: Cyber Resilience for Email

Even if you don’t have a crack team of IT Security pros trying to outwit hackers by uncovering exploits, a key project for 2018 should be improving your cyber resilience for email.

Preventing known threats is just the beginning. You need a cyber resilience strategy to protect yourself from email-borne threats and to mitigate overall business risk for an application as critical as email. A holistic email protection strategy includes:

• Before - Email Security: Spam controls and anti-virus tools aren’t enough anymore. To address advanced security threats, you need email cloud security services that protect against more sophisticated and targeted email-borne threats

Pro Tip: Consider implementing DMARC, which addresses the literal spoofing of branded domains. DMARC makes it more difficult for malicious actors to send an email from a well know domain, and when both the “sender” and the recipient are DMARC-enabled, the spoofed email is rejected.  But don’t expect DMARC to solve all of your phishing threats.

• During - Mitigation: When you are attacked, you need systems in place to keep the infection from getting bigger and spreading farther.
• During - Continuity: Your business needs to keep running before, during and after a cybercrime. Downtime and outages only add to the financial and business impact.
• After – You need recoverability built into your program. The ability to quickly get back up and running – such as from a ransomware attack – is critical to your business.  You never want to be in the position of even considering to pay the ransom.

“Cyber thieves are always looking for opportunities to exploit your email,” Gardiner laments. “But with a strong plan for cyber resilience you can better safeguard your organization.”

Cyber resilience for email. Sounds like a good New Year’s resolution!