Email security: We CAN fix the tech, but what about the humans?
From Michelangelo to ransomware
Last month’s Mr Chow ransomware attacks serve as a timely reminder that security should be at the top of any business IT strategy. Ransomware is on the increase, at least according to the FBI and while it is not all email borne, it is an example of how sophisticated hackers and criminals are getting with technology.
Certainly the recent spear phishing attack at sports anti-doping agency WADA was a clear indication of the lengths attackers will go to creating detailed and personal emails to hoodwink targets. Clearly, email is still one of the biggest threats to business security and will continue to be so for a very long time.
In some ways it’s no surprise. Email use is as healthy as ever. According to research company Radicati Group’s Email Statistics Report (PDF) 2015-2019, over 205 billion emails were sent and received every day last year. A six percent increase is expected this year and although numbers vary dramatically from report to report, it seems to average out that around one billion of those emails are spam or malicious emails.
Back to the '70s
In security terms email is of course just the delivery vehicle but it has history. Computer viruses date back to the days of the mainframe and early IBM PCs in the 70s and 80s but it wasn’t until the increased proliferation of email in the late 90s and 2000s that email started to really kick off as a security threat. The Michelangelo virus, Melissa worm and Anna Kournikova virus all became synonymous with computer security threats during the internet boom and dotcom years. Spam email was rocketing too.
In fact, according to Professor Alan Woodward from the Department of Computer Science at the University of Surrey, all that we see on email is exactly what has happened on regular snail mail. The big difference is that it can be done on a massive scale, and you can deliver electronic payloads that once opened are harmful, unlike the normal spam mail you get through the letterbox.
“I have to say I think things have become a great deal better. In many ways junk mail filters on corporate mail servers like Exchange are something of an unsung success story,” he says. “Sadly it takes only a few to get through to cause problems but these servers are routinely blocking vast amounts of junk, spam, phishing and malware.”
It’s a good point. We often forget about the good work and how quickly security firms react to new threats. Of course, email is not about to disappear from business either. It’s too useful and is a good way of storing a messaging dialogue but as Woodward points out, it’s not the only messaging form that can be open to abuse.
“I’ve seen scams only this week using WhatsApp, and phishing using SMS,” he says. “If anything I suspect people who have learned about the dangers of email will end up learning all over again (probably the hard way) that other messaging vehicles can be used to deliver a variety of attacks as well.”
For businesses this is a perennial problem. Threats from email are as old as, well email and keeping pace with any technology change is a constant challenge. Security is however a unique challenge with increased remote working, a variety of devices with an ability to roam networks and an increasingly sophisticated cybercriminal.
Prevention, as security firms have been saying for years, is better than cure. Ask US presidential candidate Hillary Clinton. She is something of an email security expert now, especially when it comes to understanding the consequences of not taking email security seriously. After being caught using a personal email server for official communications while acting as the US Secretary of State, Clinton has also been hacked, supposedly by the Russians.
She is not alone of course. Large businesses and government departments, as well as well-known names, are consistent targets for hackers.
Consequently, says Joe Diamond, Director of Cybersecurity Strategy at Proofpoint, “Customers demand more from their security solutions today more than ever before. That’s why we see security in board level conversations. Visibility about who is attacking you, what they are using, who in the organization they are targeting… and even understanding whether your organization is being singled out or caught in the crossfires of a broad attack campaign, are all insights to help organizations respond.”
So are people doing enough to protect themselves?
“I think companies can do only more of what they are already doing,” says Woodward. “Use of up to date mail servers, anti-virus and so on is an obvious point. Education is equally important, especially with BYOD muddying the waters. One has to be careful to educate users that not all mail clients are the same.”
Education or lack of it has of course led to human error enabling threats to sneak through cyber defences. Interestingly the number of security breaches reported to the Information Commissioner’s Office (ICO) has doubled this year, up to 2,048 from 1,089 in 2015. Around 70 per cent of these reports were due to human error.
“It does suggest that the protection is best done at the server but that is not always possible,” adds Woodward. “Plus if one person is hacked their system can send emails that will appear perfectly valid to any automated system, so the human in the loop has to be on guard. I don’t think any technology is leading the charge but what you are seeing is a more sophisticated scoring system for spam emerging and some of that is being supplemented by heuristics. The systems are learning from what you delete, what is junk.”