The need for email security solutions has never been greater. With next-gen firewalls, artificial intelligence (AI) and other security solutions making it harder to get into businesses’ systems and applications, cybercriminals need to find other ways in. People, unfortunately, are often the chink in the armor. Studies have revealed eye-opening statistics. For instance, approximately 90 percent of data breaches begin with phishing. Further, 42 percent of employees reported clicking on an unknown link or other dangerous online activity. Phishing emails are opened 30 percent of the time.
Social engineering attacks are something that businesses now deal with on almost a daily basis — along with the lost productivity, downtime, data loss, and reputation damage that cyberattacks can cause.
The United States Computer Emergency Readiness Team (US-CERT) warns users to be suspicious of any email attachment, even if it seems to be coming from someone they know. Current email security threat trends, however, make confirming a sender’s identity harder than you may think.
Cameron Camp, CISSP and Security Researcher at ESET, says, “Attackers are spending much more effort compromising business email, especially attempting to access web-based clients, which are far more full-featured these days. This allows them to monitor and send emails on behalf of corporate officers. They can create largely invisible filters that forward a copy of all emails to another email account the attackers own. Then they can, for example, send legitimate sounding emails requesting wire transfers to the accounting department.”
What Can You Do to Protect Your Clients?
There are technologies that are effective in keeping scammers from accessing your clients’ networks and data. “Multifactor authentication works wonders,” Camp comments. “Unfortunately, email providers who support the technologies are rare.” He says managed services providers (MSPs) and value-added resellers (VARs) can enhance their offerings with strong authentication solutions like YubiKey. These solutions require a second form of authentication or set of credentials to open applications and access data. If scammers are successful in getting employees to give up login and password, they’d still have to provide additional information to gain access to mission-critical or sensitive information.
You also need to make sure basic hygiene and best practices are covered. Ensure your clients’ operating systems and software are up to date, and you promptly apply security patches. Hackers will exploit vulnerabilities, often using email as a way to deliver malicious code. Additionally, talk to your clients about how often they train employees to keep them aware of trending email attacks and how to recognize them. Only about 25 percent of companies spend two or more hours per year holding cybersecurity awareness training – even though doing so can maintain awareness and good habits.
Deal with Intrusions, by Design
Regardless of how careful employees are with email attachments and giving up information to email scammers, it’s a smart strategy to assume that at some point, someone with malicious intent will get through.
Camp says, “There is no way to prevent a sufficiently motivated actor from getting in, given enough time and sophistication. But by severely limiting their potential lateral movement within the organization by compartmentalizing data and restricting default privileges, attacks designed to steal corporate secrets will have a very hard time getting to the ‘crown jewels’ if they do get in.”