paper plane about to fly

Why Email Security Remains a Problem and How to Mitigate the Risk

July 13, 2022 Digital Workplace
Mike Prokopeak
By Mike Prokopeak

Cyberattacks are on the rise, and small businesses are three times more likely to be targeted than larger companies. Recent research shows that email security may be to blame. 

According to Mimecast's State of Email Security 2022, 76% of respondents reported having been the target of ransomware — and 80% said they are getting ready for the next big email cyberattack. Perhaps unsurprisingly since efforts to spoof companies’ websites and email domains are also increasing, according to the report, with respondents reporting their companies experienced an average of 10 such attacks in 2021 alone.

While the security defenses that come with the dominant Microsoft 365 productivity platform afford some protection from email-borne attacks, nine out of 10 of the 1,400 IT and cybersecurity professionals surveyed find them insufficient.

These ongoing malicious attacks can cause significant reputational and financial damage to organizations of all sizes. Yet, despite increased awareness, the data shows lack of preparedness remains a major risk factor. There are some relatively straightforward ways to increase vigilance and mitigate the risk of attacks, however.

What Is the State of Email Security?

Email remains a leading source for cybercrime, implicated in over 90% of all cyberattacks, with the pandemic providing a new risk factor for these attacks. Google reports blocking 100 million phishing emails per day, and data from San Francisco-based Valimail shows more than three billion spoofing messages are sent each day.

Since the beginning of COVID-19, email security providers (ESPs) reported a surge in pandemic-themed phishing attacks taking advantage of people adjusting to work-from-home environments with less-secure computer hardware and networks. 

Alon Golan, product marketing manager at Odix, an Israel-based cybersecurity company that secures email attachments for Microsoft 365 Exchange online mailboxes, said email is also an easy gateway to bypass legacy security tools because of the never-ending innovation of malware’s code, which makes it difficult to detect a known signature. In most cases, malware, ransomware or zero-day vulnerabilities manage to breach the network via unknown malware hidden inside an innocent-looking file.

It's a myth that a company is safe once it has migrated from an on-premises email server environment to a SaaS email environment such as Microsoft 365, Golan said. Using Microsoft 365 for email is not a cyber-resilience strategy. Among Microsoft 365 security email users, 79% experienced an outage in 2021.

This may explain why nearly half of respondents participating in the Mimecast survey said they had turned to machine learning and artificial intelligence to help with the increasing risk of cybercrime. The other half said they were actively considering doing the same.

Related Article: A Zero Trust Security Primer

Increasingly Targeted and Sophisticated Attacks

This is the crux of the problem. Email security has always been a threat to enterprises but for a long time it was not perceived as a priority. Spam has also been with us for decades as a mechanism to socially engineer responses but until relatively recently, it was focused on playing off the greed of a recipient by promising handsome rewards, said Brian Chappell, chief security strategist at Johns Creek, Ga.-based BeyondTrust.

If greed is still the principal driver today, the techniques to exploit that are changing. There is currently a significant increase in the use of spear phishing (specifically targeted phishing messages) to take advantage of corporate structures.

“The greatest risk with email still has to be the delivery of malware, particularly ransomware, into the organization,” Chappell said. “When you combine spear phishing with a malicious payload, the chances of success for the attacker grow substantially. While tooling might be able to identity and filter malicious content, the attackers are getting better and better at masking the content, even making it look legitimate.”

Hackers are also spending more time on each attack than they did in the past. Spear phishing is not a fire-and-forget approach.

"It takes time and effort to do [it] well," Chappell said. "When we look at the ever-increasing payouts for ransomware attacks, it is clear why that is the case."

Related Article: Enterprise Data Security Still Has a Long Way to Go

Vigilance and Diligence Remain Key

There is a significant target market for attackers, but companies can find solutions. The best defense remains controlling access to privileges and vulnerabilities that would enable ransomware to spread beyond the confines of the initially compromised system.

Eliminating standing privileges is a first step. Ensuring that any access to privilege, however low level it might seem, can be secured behind multifactor authentication helps prevent any use of user capabilities. Addressing vulnerabilities with known exploits first and foremost will disable many of the attacks that might be used to elevate privileges and allow the attacker to move laterally across the environment.

In essence, the same basic, foundational cybersecurity measures that are fundamental for success in any cybersecurity strategy provide solid protection against an intrusion spreading. Containment is the first thing organizations need to aim for. 

“Your strategy has to begin from assuming breach,” Chappell said.  “If you build your cybersecurity strategy from there, then breach isn't the end, it's only the beginning of your defenses.”

Related Article: It's Time to Re-evaluate Your Cybersecurity Strategy

Threats That Come From Inside the Network

While attacks on single users or groups of users are bad enough, the problem that the lack of solid email security poses is actually much larger. According to Daniel Hofmann, CEO of email security provider Hornetsecurity, self-propagating malware is the most dangerous threat to networks.

This type of malware uses the network to propagate, which means making a copy of itself from one computer on the network to another. It can also use remote code execution (RCE) or vulnerabilities (WannaCry and NotPeta). Malware can also self-propagate without exploits via shared network drives. The infamous QakBot malware has a module for this distribution method, by connecting to nearby Wifi networks to search for more vulnerable systems. Emotet has a module for this.

The bottom line is self-propagating malware can attack all sorts of networks. This threat poses a more significant risk to more extensive networks with many connected devices. Since attacks with self-propagating malware often occur automated, attackers tend not to target specific entities.

The problem is that corporate networks often only defend against threats outside their perimeter. Inside the network, connections are often unrestricted. Once an attacker gets a foothold into such a network via a malicious email containing a self-propagating malware, the malware can take over the entire network faster than any incident response team can react.

After compromising the network, attackers will most likely deploy ransomware to the infected systems. With self-propagating malware, there is a short time between initial infection and an entire company being beaten by ransomware. Unfortunately, some computers must always communicate with others to keep a network running. Users, for example, must connect to shared network drives, making robust protection against allowing malware into the network in the first place vital.

“Strong email protection can prevent malicious emails from infecting user computers and potentially spreading onto unprotected shared drives,” Hofmann said. “Downloading malware from the internet into the network can be prevented with secure web gateways and similar secure web or DNS filtering services that block access to malicious sites and payloads.”

Considering that cybercrime is expected to cost the world $10.5 trillion annually by 2025, according to the 2022 Cybersecurity Almanac, companies would be well served to not put off implementing sturdier email security protocols.


Featured Research

Related Stories

jumper cables isolated on white background

Digital Workplace

How Mobile Apps Can Power Up Your Internal Communications

isolated house on stilts in the woods surrounded by snow

Digital Workplace

Can Work-From-Anywhere Really Work?

woman peeking through cut outs in a wall

Digital Workplace

Is Responsible Employee Surveillance Possible?

Join Top Industry Leaders at the Most Impactful Employee Experience and Digital Workplace Conference of 2023

Reworked Connect