Email Security Trends That Are Too Dangerous to Ignore

Email attacks are growing more sophisticated. This CISSP (certified information systems security professional) offers solutions and strategies MSPs should put in place to protect their clients.

The need for email security solutions has never been greater.  With next-gen firewalls, artificial intelligence (AI) and other security solutions making it harder to get into businesses’ systems and applications, cybercriminals need to find others way in. People, unfortunately, are often the chink in the armor. Several studies have revealed that more than 90 percent of cyberattacks begin with phishing emails.

Social engineering attacks are something that businesses now deal with on almost a daily basis — along with the lost productivity, downtime, data loss, and reputation damage that cyberattacks can cause.

The United States Computer Emergency Readiness Team (US-CERT) warns users to be suspicious of any email attachment, even if it seems to be coming from someone you know. Current email security threat trends, however, make confirming a sender’s identity be harder than you may think.

Cameron Camp, CISSP and Security Researcher at ESET, says, “Attackers are spending much more effort compromising business email, especially attempting to access web-based clients, which are far more full-featured these days. This allows them to monitor and send email on behalf of corporate officers. They can create largely invisible filters that forward a copy of all emails to another email account the attackers own. Then they can, for example, send legitimate sounding emails requesting wire transfers to the accounting department.”

What Can You Do to Protect Your Clients?

There are technologies that are effective from keeping scammers from accessing your clients’ networks and data. “Multifactor authentication works wonders,” Camp comments. “Unfortunately, email providers who support the technologies are rare.” He says managed services providers (MSPs) and value-added resellers (VARs) can enhance their offerings with strong authentication solutions like YubiKey. These solutions require a second form of authentication or set of credentials to open applications and access data. If scammers are successful getting employees to give up login and password, they’d still have to provide additional information to gain access to mission-critical or sensitive information.

You also need to make sure basic hygiene and best practices are covered. Ensure your clients’ operating systems and software are up to date, and you promptly apply security patches. Hackers will exploit vulnerabilities, often using email as the way to deliver malicious code. Additionally, talk to your clients about how often they train employees to keep them aware of trending email attacks and how to recognize them. Statista reports that about one-third of U.S. businesses and organizations hold cybersecurity awareness training once per year or less frequently than once per year — even though holding training more often can maintain awareness and good habits.

Deal with Intrusions, by Design

Regardless of how careful employees are with email attachments and giving up information to email scammers, it’s a smart strategy to assume that at some point, someone with malicious intent will get through.

Camp says, “There is no way to prevent a sufficiently motivated actor from getting in, given enough time and sophistication. But by severely limiting their potential lateral movement within the organization by compartmentalizing data and restricting default privileges, attacks designed to steal corporate secrets will have a very hard time getting to the ‘crown jewels’ if they do get in.”