For the last 25 years I have seen email grow from something that was a "nice to have" to being a business critical application. People are more likely to send an email rather than call or talk to another individual. This has led to many people becoming frustrated at the sheer number of emails they receive daily. There are even business consultants who focus on educating businesses on breaking of the email habit. Some individuals have a system where they keep their mailbox closed except for very specific times where they allow themselves to read and respond to emails. Yet, for most of us, we have our mailbox open and respond throughout the day. It's the main means of accessing our calendar and popping up to alert us about the next upcoming meeting. This is why I don't believe the email addiction is ending any time soon.This is also what attackers are counting on, us being tied to our emails. This has turned into not just a very easy and low cost attack vector; it is also an effective one. Why? Because a mail server's job is to deliver email, not to reject it. Yet, according to Talos Intelligence, almost 85 percent of all emails are spam. This means that greater than 8 out of 10 emails should not be delivered to the intended recipient. As good as built-in controls are, some will still be delivered. Which leads to the Verizon Data Breach Investigations, report that indicates 90 percent of cybersecurity breaches are a result of a successful phishing attack. It is baffling to think that people are still clicking on phishing messages in 2021. Yet it also isn't surprising.
Even if an organization has a strong employee security awareness program that has only a 2 percent click rate for phishing messages, that's still 2 percent of their users who will, on any day, click on a message that could infect a workstation and spread malware or ransomware inside an organization. These messages are no longer poorly written or so generic that it doesn't seem legitimate. These are now well crafted and, with spearphishing, targeted to look as close to legitimate as possible. Rather than continuing to rely on end users to make the best decision, I believe it's time to improve the email security technology, or at least to apply it. Humans are going to fail. We need technology to help reduce the chances of a person failing the test and clicking on a real phishing message.
Enabling DKIM, SPF, DMARC
•Using anti-phishing & anti-spoofing lists
•O365 has advanced threat protection
•Secure Email Gateways (e.g. Barracuda, Mimecast, Proofpoint)
•AI-empowered protection (e.g. Abnormal Security, Armorblox)
•There are many options, none of which is a silver bullet.
We need to employ email security the same we have employ security across the rest of the enterprise, in a layered approach based on risk to the business. I don't have time to get into the pros and cons of each technology, yet I do want to mention several options: And this doesn't mean we stop investing in end user security awareness. We still need our users to be sensors or detectors for the security teams. Technology is going to fail at some point, just like a human will, and we'll need our users to be able to discern the real message versus the fake messages. Again, we need a layered approach and security training which is engaging and educational still has a place in an enterprise's security program. When we start applying technology appropriately we will start to see a reduction in this attack method. When that happens the attackers will shift to another attack method, which means we'll have to shift our attention and add even more protections to the environment.