Flaws in email security are a leading cause of cybersecurity attacks for many organizations. Whether it’s ransomware, business email compromise (BEC) attacks, or a phishing email that leads to cybercriminals gaining access to sensitive data, email is the common denominator.
About the author
Peter Goldstein, chief technology officer and co-founder, Valimail.
According to Google, the average phishing campaign lasts only 12 minutes, making traditional tracing or blocking specific servers less effective and stopping attacks more challenging than ever. Stopping phishing attacks during the global pandemic is even more vital, as we’ve seen email use increase coupled with work from home, creating an even bigger attack surface, This has encouraged hackers to use email as a primary attack vector. Out of all the many vulnerabilities, unauthenticated email domains allowing bad actors to impersonate a person or an organization are the most common, along with being highly unethical, and extremely difficult to detect.
The reality is email security isn’t going away. Here are some of the old and new email requirements taking precedence within the ecosystem, making the simple act of opening an email a less risky proposition.
Email Security Ten Years Ago
Email is one of the most successful communications mediums ever invented and its reach continues to grow. Almost 300 billion emails are sent worldwide every day and the number of worldwide users increases at a rate of 3 percent per year. Unfortunately, email is not ready for today’s threats, because it was designed nearly 50 years ago when its current global reach and security challenges were unimaginable. In this simpler time, email was sent from a company’s email server, it wasn’t as integrated into business operations, and email receivers were less experienced and less suspicious of the emails they acquired. As a result, hackers didn’t spend as much time and effort disguising their identity. Decades of work by the email industry has mostly contained spam, but phishing and email-based viruses remain massive threats, with email involved in over 90 percent of all cyberattacks.
Email Security Today
This notion of securing your email server has changed drastically, especially over the last decade. It no longer makes sense to ask “how do I secure email?” Email insiders are busy developing standards aimed at addressing email’s biggest weakness: that anyone can send an email impersonating someone else. In fact, 89% of all phishing attacks have one thing in common – the sender is not who or what they claim to be. With more effective sender identity protections in place, we can eliminate these frauds by placing a focus on sender-based email security and email authentication with DMARC. The standards shaping the future of email are progressively requiring it. This cuts off the majority of email attacks by blocking the most dangerous forms of phishing before anyone has a chance to click on them. It’s also crucial to maintain quality security hygiene by mandating multifactor authentication (MFA) for email accounts as well as all corporate applications. This considerably reduces the risk of account takeover in the event that an employee does get phished.
Security is no longer about building walls around a physical presence. Instead, companies need to secure its brand and domain outside of those 4 walls. This starts with security enhancements like MFA and encryption becoming a top priority for companies today. With so many people working remotely and needing to trust the system, the industry should have at least a basic, minimum email security standard in place and it all starts with DMARC.
- Peter is an MIT and Stanford-trained technologist who has worked in a variety of software verticals, including security, enterprise, email and video. He has built products and teams at a number of large technology companies, such as RSA Security and Perot Systems, as well as at small startups, like Tout, Securant and Swapt..