The ubiquitous application is the attackers' universal vulnerability
Over the past two decades, email has rapidly and firmly
edged its way into becoming the most popular, most accepted and most basic
means for business communication. That is both good news and bad.Sure, social media has had a growing impact over the years.
Marketing managers increasingly tweet about corporate successes, an executive
might crow about their company on Facebook or post Instagram pictures of happy
customers enjoying their products or services. But when it comes to one-on-one
or group internal communication, employees from the frontline to the C-suite
and the boardroom still favor a tried and true email.
Despite on-going communication advances, email is not likely
to leave its vaunted perch any time soon. The number of emails sent worldwide
each day is expected to jump from 269 billion at the end of 2017 to nearly 320
billion each day by 2021, according to Statista. As of this year, approximately
124.5 billion business emails alone are sent and received every day, according
to technology market researcher Radicati Group, Inc. By the end of 2019, every
business user is expected to send and receive on average 126 emails per day.
But it is email’s popularity, its constancy, its ubiquity and its simplicity
that also makes it the prime target for cyber ne’er-do-wells that recognize
email as the easiest and most effective route for them to plant malware, worm
their way into a corporate network or trick unsuspecting employees to misdirect
funds into their coffers.In 2016, Symantec reported that one in every 131 emails
contained malware. And the success and proliferation of massive malware
campaigns, including ransomware hijacks, in the intervening months likely means
that these threats have only shot upward — especially in regard to the
enterprise email user. While enterprise IT security groups, and even mainstream
users, have been made increasingly aware of the threat of phishing or more
targeted spear-phishing emails, enterprises big and small still find that there
is often some employee willing to open an attachment or click a link, even if
the request or the source seems questionable.“Phishing remains the number one [security] threat to most
companies,” says Quinn Shamblin, the chief information security officer for
Eden Prairie, Minn.-based Optum Technology. “At most companies, the easiest way
around the security is to send someone an email.” Shamblin, who previously
worked in IT security leadership at Procter & Gamble, Boston University,
and UnitedHealthcare, says that while a wide range of technology products are
emerging to help enterprises like his suss out the bad actors, technology alone
is not enough to beat back the constant assaults.“Email security capabilities at the gateway do a good job of
holding back the ‘commodity-style’ attacks,” he says of more simplistic and
broadly aimed phishing emails. “But [these tools] are not as good when emails
target specific groups.”Michael Osterman, president of Seattle-based Osterman
Research Inc., agrees, “The situation is bad and getting worse. Phishing has
become common. And business email compromise is very serious.” He agrees that
technology offerings are improving — evolving to even review the writing style
within the email itself to see if it matches up with the executive who
purportedly wrote it — but they will not block all the threats.“The bad guys are always studying and reverse-engineering,”
Osterman says. “This is always a game of cat and mouse. On balance, the bad
guys are gaining an edge because there’s so much money behind them.”And of course, there is at the core of these email-aimed
attacks, the most basic and exploitable vulnerability — the sometimes naïve,
eager-to-please and often overwhelmed human employee. As Microsoft’s president
and chief legal officer Brad Smith reportedly summed it up while speaking in
2017 at a corporate conference, “Every company has at least one employee who
will click on anything. Part of what the security challenge involves is
protecting people from themselves.”The upshot of all this, says Nick Hayes, senior analyst at
Forrester Inc. of Cambridge, Mass., “It’s still a world of hurt for security
pros today. Despite the huge investments into a variety of email security tools
from email security gateways to phishing simulation testing, email threats
remain a top area of exposure for companies.”Sophisticated and targeted phishing attacks have in turn
given rise to more pervasive and damaging malware attacks and cases of business
email compromise, where the fraudsters pose as a corporate executive or
business partner in order to coax unsuspecting employees to send them funds or
information that they can resell for a profit. And no organization is immune,
no matter how secure they believe their systems and policies to be. Case in
point: Austrian aerospace and defense giant FACC AG, which sells equipment to
Airbus and Boeing, lost $54 million two years ago to a business email
compromise scam. The CEO and the CFO were fired as a result.And, perhaps even more surprisingly, it is not always the
big institutions, large banks or defense contractors or hospitals that are
under threat any more. Bad actors are diversifying. Real estate-related
businesses — from real estate brokerage sales staffs to buyers and sellers and
from title companies to law firms — are increasingly becoming targets aimed at
getting them to share account information or other personal data that could be
monetized. Real estate scams increased 1,100 percent from 2015 to 2017, with
losses increasing 2,200 percent during that time.Perhaps even more damaging, phishing can lead to ransomware
attacks, when an enterprise user opens an email-based attachment that unleashes
malware in the corporate network that locks up essential files, systems or even
access to vital equipment. The healthcare industry has been particularly
ravaged by ransomware, going back nearly three years to the highly publicized
“Locky” attack on Hollywood Presbyterian Medical Center. After the Los Angeles
hospital was forced offline for more than a week, the hospital management gave
in and paid its attackers $17,000. Not long after, Methodist Hospital in
Henderson, Ky., came under attack from “Locky” hackers, which prevented doctors
from accessing patients’ medical records.Chris Greany, managing director and group head of corporate
security investigations and insider threat at Barclays in London, says that he
is not sure that “the landscape of threats has changed that much in the past
year. What I have seen change is how people respond [to try to] understand more
quickly what’s going through the network.“There’s a greater appreciation of security awareness,”
Greany adds, “and making sure their employees understand what not to press or
click.”Changing the culture, one email at a
timePerhaps the greatest challenge for organizations, in trying
to stem the rising tide of email incursions, is “just keeping ahead of it,
every day,” says Greany.Indeed, as malware-as-a-service (MaaS) offerings evolve, a
less-skilled but large base of wannabe hackers are coming out of the woodwork
to “have a go” at email-oriented attacks, says Greany, just as the better
funded and more talented organized cybercriminals are becoming more creative,
and effective, with their more targeted assaults. “We need to make sure
everyone is getting the same learning, the same training,” Greany says.Dan Lohrmann, the former CISO for the State of Michigan who
now heads a security consulting firm, believes that imbuing a culture of
security throughout an organization is critical as a foundation to security
awareness training, especially around the use of a tool as fundamental as
email. “It really starts with the culture of the organization,” says Lohrmann.
In his state CISO role, Lohrmann says, he served under Gov. Rick Snyder, the
former CEO of Gateway Computers, who was instrumental in helping his
organization become more knowledgeable about potential cyberthreats.The converse, Osterman points out, is when an organization
has “a corporate culture where the CEO cannot be questioned at any time in any
way,” email scams will flourish because the employees will have no opportunity
to consider the validity of communication and their response. “And that’s death
to security awareness,” Osterman adds. “Informationsharing is critical, as is a
higher frequency of training… Organizations need to keep those new threat
vectors front and center.”Support from the uppermost echelon of the enterprise is
crucial, Osterman agrees. “The biggest challenge to security awareness is often
just getting attention of the senior management,” he says. While the seemingly
daily headlines regarding cybersecurity breaches, especially those that begin
with an email, have helped make “board-level discussions about security
awareness more common and [put] more CISOs on the board itself,” Osterman says,
it is increasingly important that all the employees come to recognize that
security precautions “are not just an IT thing.”Since October kicks off cybersecurity awareness month in
many parts of the working world, Greany and his team at Barclays are overseeing
a “global cybersecurity road show” — offering a host of inperson and online
trainings, webinars, and other events aimed at helping everyone throughout the
widespread global banking organization become more aware of better security
practices and potential threats.“We want them to know this is really everyone’s
responsibility, that they’re part of the overall fight,” he adds. “Whether
you’re in the boardroom or the branch, there should be an understanding that
when something comes into your inbox, you need to know what it is before you
respond or act on it.”In the case of Barclays, Greany says that attendance at many
if not most of their security events is “not mandatory, but it is expected. We
want people to willingly participate — and that means selling it to them in the
right way.”For the U.K.-based bank, that means emphasizing the overall
benefit an employee will derive in not only being “part of the team” that keeps
their company secure, but also letting them know that this education will
benefit them in their personal life, he notes. Since spam, malware, and
phishing are not limited to enterprise users, cybercriminals often target
personal emails as well, Greany says that employees are learning that they can
take home the awareness and the practices they learn at work.“People want to come along for that,” he adds. “Safe at
work, safe at home.”As is oft pointed out by IT security experts, few employees
will come to a lasting awareness about security if their only training is a
once-a-year “death by PowerPoint” lecture. Echoing other security insiders,
Hayes agrees that email security awareness is about “ongoing prioritization and
maintenance. Email security requires a multi-pronged approach to prevent,
detect, and respond to email threats prior to and at the point of execution.”Since the cybercrime market evolves even more quickly than
the products and practices aimed at stopped it, Hayes adds, “It’s difficult for
security teams to adapt as quickly as threats shift, especially given the range
of devices, applications, and points of ingress at attackers’ disposal.”“Security awareness reduces your risk exposure,” Hayes
continues “It doesn’t mean you’re 100 percent secure, but that your people are
less likely to click on a malicious link. Until security teams can guarantee a
phishing or otherwise malicious email will never hit users’ inboxes, security
awareness will remain critical. I think we have quite some time before that.”
Karen “Pepper” Hoffman has been writing and analyzing IT security, financial technology and general business and technology issues for more than three decades. She lives in Olympia, Wash.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
