You've got email... breaches

Misdirected emails have been identified as the UK's top cause of reported security incidents, leading to 44% more incidents than phishing attacks. Brian Wall reports

During the pandemic, email volumes have surged, with one-in-two IT leaders seeing an increase of over 50%. Coupled with the finding that 70% of IT leaders surveyed reported that they felt sensitive data is at greater risk when employees are working from home, the pandemic has created a perfect storm for email data breaches.

Will things be any better in 2021, even as and when emerging vaccines enable us to get to grips with COVID-19? Has the virus actually served as a catalyst to ramp up attacks and will this simply continue, should the virus be brought under firm control? Ultimately, can we only ever expect a 'least worst case' with email and accept that we all must suffer some level of collateral damage?

As Mark Forrest, CEO, Cryptshare, comments, email is likely to remain the cornerstone of our communications for some time to come, for the simple reason that it is universal, effective and cheap. "There are a plethora of point solutions for encrypting, scanning, blocking, authenticating and protecting against email-born threats. But, in the end, we need to solve the puzzle of having all of these things at a price that our very much under-pressure budgets demand,” he states. "Breadth and cost effectiveness have come into sharp focus during the pandemic where the promises of the biggest enterprise software vendors are being found wanting. This is not a time to drop your defences," he cautions, "but there are cost-effective choices."

teve Mulhearn, Fortinet: CISOs must educate their employees about common attacks.

With the trend towards a remote workforce continuing this year, the need to keep the remote workforce secure will continue, says Dean Coclin, senior director of business development at DigiCert. "With regard to emails, providing tools to warn users of emails originating outside the organisation, capabilities to encrypt email and keeping email safe on mobile devices will continue to be essential. VPN use will expand as organisations see the security benefit."

With information about the pandemic constantly being sought, hackers look to entice people to click on email links associated with COVID cures, virus testing sites and similar topics. "These links can lead to malicious sites, defective equipment (ie, PPE) and phishing sites to get login/password information," he adds. "Cybercriminals will use whatever hot topic, be it the virus or something else, to steal credentials from unsuspecting users."

That said, organisations have become more adept at increasing their email security, Coclin points out. "Technologies such as DMARC, which prevent unauthorised individuals from sending emails using the company domain, are becoming more popular. Also, digital certificates to sign and encrypt email are being increasingly rolled out at companies, large and small. The CA/Browser Forum is currently working on new standards for email certificates, which are expected to be released this year. All of these improvements will help minimise 'collateral damage' and improve email security for all."

Misdirected emails cause the most incidents and are, according to Egress CEO Tony Pepper, "a revolving door" for data breaches, especially with many organisations moving to long-term remote working and email becoming an even more vital tool for sharing business information, particularly sensitive data. "In fact, our recent Outbound Email Security Report revealed that 94% of organisations have seen increased volumes in outbound email and one-in-two saw growth of over 50%. With this surge in email volumes came an increase in the surface area for risk."

Tony Pepper, Egress CEO: Misdirected emails are a revolving door for data breaches.

It means people are also more likely to make errors. "Remote working has created a challenging environment for many employees, with a myriad of distractions present - from providing childcare to answering the door for deliveries. These distractions easily lead to employees making mistakes, such as sending an email to the wrong person. It's no surprise, then, that 80% of organisations reported data being put at risk for a reason as simple as the wrong recipient being added to an email."

Employees are also experiencing higher levels of stress, with the line between work and home life more blurred than before," continues Pepper. "Our research found that almost 40% serious email data breach incidents were caused by tired and stressed employees."

With some 70% of IT leaders believing that sensitive data is at greater risk when employees are working remotely, heightened insider risk will be an issue for organisations in the long term, he comments. "If 2020 has taught us anything, it's the importance of securing the individuals within our organisation's human layer, so they can work effectively and productively - particularly when using email.

“With a combination of the intelligent technology and robust security training, organisations can keep their data safe, even in this period of heightened insider risk," Pepper concludes. < p> One of the biggest vulnerabilities that has presented itself since the increase in remote working patterns is the advancement of social engineering tactics," comments Steve Mulhearn, director of enhanced technologies, Fortinet. "Unscrupulous actors are leveraging important contextual information about users, including daily routines, habits, or financial information and the chaos of email is the easiest place to slip by unnoticed."

Dean Coclin, DigiCert: VPN use will expand as organisations see the security benefit.

The most common security breach experienced by UK businesses in 2020 according to GOV UK , were phishing attacks, with 86% of businesses falling foul of fraudulent emails and redirects to fraudulent websites, he adds. "To combat this risk, CISOs must educate their employees about common attacks that could appear in the form of phishing, spear phishing, smishing or various other tech support scams." The simple tap of the shoulder in offices of old has drifted away, and now employees are left to the confinement of the four walls of their home office and inbox, rues Mulhearn. "However, the home office should remain purely an extension of the corporate security policy, and employee and company cyber behaviour should stay the same. One way of implementing this is through a Zero Trust Network Access (ZTNA) model and ensuring flexibility is increased without the increase in risk. If malware is installed, then isolation and data access restriction to remediate is critical, and Endpoint Detection and Response (EDR) systems play a crucial part in this process."

He emphasises that, through cyber awareness training and instilling the correct habits, such as email best practice, you can create a culture of security, relieving pressure on the security team and allowing a 'human firewall' to be built around the business. "If the awareness of threats is combined with habit, every individual within the business will be able to take greater care of their own cyber brick within the wall."