For decades, email has been a conduit for cyberattacks — and the reason why couldn’t be more obvious: “Every company has at least one employee who will click on anything. Part of what the security challenge involves is protecting people from themselves.”
As Smith pointed out at Microsoft Envision in the fall, attackers also now rely heavily on targeted phishing emails and other individualized threats that are much harder to identify than the crude bulk messages of the past.
Employees who once used business-owned laptops and desktops to check their email now rely on their own mobile devices, and this makes email protection even more challenging.
Mobility greatly expands the opportunities attackers have to compromise user credentials and devices, breach email accounts and pose as users.
To address the challenges, businesses must deploy measures to markedly strengthen email security. Here are some tactics to prevent email-borne attacks from reaching employees and to mitigate attacks that penetrate a business’s defenses.
1. Adopt Stronger Encryption and Web-Based Email
Users often send and receive email through sessions that their email client software establishes with email servers. By default, many email clients don’t provide protection for these sessions.
Not only email messages and attachments, but also usernames and passwords, are transmitted without encryption to protect their confidentiality and integrity. Anyone monitoring such communications can gain unauthorized access to these email accounts and all associated messages.
Two options exist to protect email sessions: The first, Transport Layer Security (formerly known as Secure Sockets Layer), protects all sessions using email protocols, including IMAP, POP and SMTP. Second, using a web-based email service instead of locally installed email client software ensures TLS will protect the web traffic.
With both options, strong passwords and multifactor authentication are also needed to validate the identity of anyone establishing an email session.
2. Move Your Business to Modern Anti-Malware Solutions
Anti-malware technologies, such as anti-virus, anti-spam and anti-phishing tools, have been used for decades to scan email messages and block or quarantine email containing malware and other malicious content. Newer anti-malware relies less on signatures of known malicious content and instead uses threat intelligence, reputation services and other near-real-time sources to pinpoint the location of threats — domains and IP and email addresses, for example. With highly targeted attacks now commonplace, it is vital to employ only anti-malware that uses the latest threat information.
Ideally, businesses should deploy modern anti-malware technologies as part of their infrastructure to monitor all email servers and services — and also on each client device to catch email-borne threats passing through outside email services.
3. Make Email Client Health Checks Mandatory
Businesses should monitor the health of all email client devices, whether company-owned or BYOD. Automated health checks can flag problematic email accounts and identify emerging security problems — such as end-user systems that use weak security settings or lack OS and email client software patches — and hasten corrective action by the IT team.
4. Block Exfiltration with Data Loss Prevention Tools
Cyberthieves commonly use email as a preferred mechanism for exfiltration — the unauthorized transfer of sensitive information outside the business or organization.
Malicious insiders often use their email accounts to forward sensitive data files to other email addresses, and attackers use compromised accounts similarly. Data loss prevention technologies can detect and stop these threats.
DLP is a critically important weapon in the email security arsenal. Whenever possible, DLP tools should be used to monitor email servers and any client devices with access to sensitive data that might be an enticing target.