Ask any information technology or security leader what keeps them up and night, and you can wager that one of those items is a successful phishing email. It seems like phishing has been around for as long as cybersecurity has been a common term, yet it still plagues individuals and organizations across the globe. In fact, according to a recent report, phishing attacks grew 61% in the past year. Why? Because phishing is fairly easy to do, and people continue to fall for these schemes.
So, this begs the question, what’s the point of implementing email defenses if phishing continues to see success? Before we answer that question, let’s first look at the typical types of email defenses.
There are a number of email defenses you can set up to make it more difficult for malicious emails to reach an intended target.
Spam filters, or spam blockers, is a popular email defense solution that’s built into a user’s email program to detect unwanted (i.e., promotional emails) or malicious emails. The administrator sets up specific criteria within the filter that can trap messages based on particular senders, specific words or by the type of attachment. Some spam filters come with added sophistication like artificial intelligence to analyze content to avoid blocking legitimate emails.
Antivirus software has been around a long time – since the 80s – and has continued to be an email defense mainstay. Antivirus is all about preventing, detecting and removing malware on IT systems, networks and individual devices. They are often set to run scans automatically and can be used to scan for specific files or directories where you may have known malicious patterns. Once the software detects malware, it can either remove it automatically or alert on it, depending on how you set it up.
Much like mailing a letter, data is most vulnerable when it’s in transit. Spam filters and antivirus software do nothing once an email is en route, which is why data encryption is so important. Encryption renders the content of an email unreadable as it travels to its destination, so even if it’s intercepted by threat actors, they can’t interpret what it says.
There are a number of email encryption methods that fall into two categories: transport-level encryption (where the email’s contents are encrypted in transit) and end-to-end encryption (where the email’s contents are encrypted when it leaves the sender and unencrypted only when it reaches the intended recipient).
When phishing or other malicious emails make their way through an organization’s established email defenses, it can leave many wondering if they should continue investing in the controls designed to prevent those compromises.
Email filtering has always been forced to walk the line between preventing valid content from finding its destination and stopping malicious or unwanted marketing content. Businesses and security teams have learned that if they turn their filter up to the highest level, there’s potential for a negative impact on the business because they could be blocking emails critical to business functions and revenue generation.
Attackers and scammers know it’s unrealistic for businesses to completely lock down their emails and use this knowledge to develop techniques that can circumvent the filters.
The answer is, it’s not a simple question of whether email defenses work or not – it’s more about striking a balance between protection and business needs. It’s important to look past the expectation that an army of tools can fully protect the organization from email-borne attacks. A holistic email defense strategy must include not only a solid technology approach, but also account for the human element and the business’s core need to generate revenue.
To stop phishing attacks and any other email threats, your security approach should include current, competent tools at the client, server and even at relay points outside of the core network (bonus points for using technologies that route all email-based links through an intelligent proxy to filter out known-bad destinations). Your strategy also needs to employ liberal application of user education and encouragement for those users to be suspicious, pause before clicking and know the protocol for reporting such content.
Support and security teams should have a ready response for reported content and calibrate notification/alerting systems to quickly identify malicious activity in mail systems, regardless of the sender or receiver. To defend against attempts to compromise user credentials, enforce good password and authentication posture; multifactor authentication should be non-negotiable at this point.
Ultimately, business leaders should be made aware that risk never reaches zero where email attacks are concerned. The only invulnerable messaging system is the one that doesn’t get used, and we all know that’s not a viable option. Focus on institution of prudent controls – technological, administrative AND behavioral – and practice response protocols that minimize long-term impact to the business.