Amidst all the hype surrounding state-sponsored cyber-espionage, attempts to influence elections and attacks on critical national infrastructure, sometimes as an industry we can be guilty of diluting the security message. Some new research released over the past few days should get us back on track. It re-emphasises the point that email is still the number one threat vector facing organisations.
With fewer than 100 days to go until the EU GDPR comes into force, firms need to get better at locking down the risks they’re exposed to via these channels. This will require possible investments in technology and, most likely, a new approach to staff training.
Social and targeted
The latest stats claim that the combined threat from phishing and malicious email attachments accounts for over a third (34%) of all incident response investigations. Diving down deeper into the data, it finds that social engineering (52%) is slightly more popular than external exploits (48%) — that is, attacks targeting people rather than technology are favoured. What’s more, social engineering users into opening malware-laden attachments, handing over their log-ins and clicking on malicious links is found to be more common in targeted attacks. On the other side, so-called “spray-and-pay” attacks, which are more opportunistic in nature, rely on exploiting technical deficiencies in the organisation like software vulnerabilities.
Both types of threat should be well known by now. We are currently witnessing an unprecedented volume of software vulnerabilities. One firm recorded nearly 21,000 new bugs last year, a 31% increase over 2016. Given the enormous pressure administrators are under to patch multiple heterogeneous systems today, gaps are inevitably left which the black hats are only too ready to exploit — often via email. Phishing, meanwhile, is increasingly used as the typical first stage in a targeted data-stealing attack. In fact, Verizon claims that phishing was present in nearly a quarter of security incidents and over 90% of so-called “social” attacks in 2016.
Let’s not forget that ransomware is also mainly email borne. Despite a drop in volumes, one vendor still spotted over 624 million related threats in 2017. However, the real momentum is with another email threat altogether: Business Email Compromise (BEC). The estimates are that losses stemming from this particular attack technique will hit the $8bn mark before the year is out. A recently discovered whaling scam targeting Fortune 500 firms reminds us of the dangers: attackers using spoofed or hijacked CEO email accounts to convince lower-downs in the finance department to transfer corporate funds into an external bank account. This is social engineering on steroids: zero malware for firms to detect, but potentially huge losses if staff and processes aren’t set-up to stop and spot unusual activity.
Focus on education
So what’s the answer? Like all aspects of cybersecurity there’s no silver bullet to shoot all email threats down. What you need is a measured response focused around the old classics of people, process and technology. On the technology side that means controls at the email gateway to spot and block phishing, malware and spam, whilst preventing data loss (DLP). Don’t forget, the same is true of your cloud email systems. With most platform providers only offering rudimentary protection, you may need to enhance this with third-party tools. Best practice security should also cover steps to reduce your organisation’s attack surface, including prompt patching, regular pen testing and vetting of BYOD devices.
But when it comes to your people, things get a little trickier. What does a successful cyber-awareness and education programme even look like? The most important thing to search for is a provider that can offer real-world simulation exercises, served up in short, easy-to-remember lessons. And it must be measurable: if you don’t know how successful the programme is, how can you monitor ROI or tweak and evolve it over time?
Unfortunately, the latest figures from Big Brother Watch reveal that the UK’s public sector is woefully under-prepared for the email threat. It claims three-quarters of local authorities don’t provide mandatory cyber-awareness training for staff and 16% do not provide any training at all. It’s perhaps no surprise, therefore, that a quarter of UK councils experienced a security breach between 2013-2017.
There could be worse ahead for public and private sector organisations alike if they don’t get a handle on email threats. The GDPR regulators may not be looking for firms to make an example of after the new data protection laws land on 25 May, but if you are breached and haven’t followed best practice, there could be some nasty surprises in store.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.