CIOReview
CIOREVIEW >> Security >>

Rethinking E-Mail Security

Karthik Devarajan, Director of IT, Maryland Legal Aid
Karthik Devarajan, Director of IT, Maryland Legal Aid

Karthik Devarajan, Director of IT, Maryland Legal Aid

E-mail is still the top choice for workplace communication in both big and small organizations, with an average office worker sending and receiving 121 e-mails per day (Smith, 2018). Therefore, it is not a surprise that e-mail remains the most exploited security threat in an organization. Businesses invest heavily and focus a lot on protecting and securing the e-mail gateway since blocking any security vulnerability at this point will protect the end user from accidentally clicking a malicious link or opening a rogue attachment. Many organizations stop at just establishing a secure e-mail gateway when it comes to e-mail security. While gateway defense is important, it is only one piece of the entire e-mail security ecosystem. Having a foolproof security system to protect an organization from an e-mail attack might remain an impossible task, but by thinking beyond gateway defense, and approaching e-mail security in a more holistic way, organizations can prevent both internal and external e-mail threats.

Resilience is an often a forgotten or ignored subject when it comes to e-mail security, especially with a wider adoption of Office 365 and Google Suite. Now organizations have no control over uptime and have to rely on Microsoft or Google for business continuity. The common thought process among the IT decision makers was to get away from the business of running and maintaining e-mail servers but the downside to that decision is the uncertainty in service availability at a time of outage. In the past couple years, we have seen multiple instances of either Office 365 or Google Suite outages that left organizations without the ability to send or receive e-mails. Even if you have an on-premises e-mail server, having an e-mail continuity service should be part of the security plan. In addition to e-mail connectivity, resiliency plan should also include built-in backups for e-mails. There are numerous ways a user can experience data loss in e-mails—ransomware which encrypts data, accidental deletion, employees with malicious intent etc. While O365, G Suite or even on-premises Exchange has built-in availability services that ensure data recovery, they have serious limitations especially when it comes to dealing with large data. E.g. recovering e-mails on the folder level or recovering an entire mailbox.

  E-mail protection should not be just restricted to securing the e-mail gateway or having an anti-spam/anti-virus solution  

In recent years, the quality of cyber-attacks especially via e-mail has become sophisticated with the cyber criminals finding creative ways to by-pass the security and human controls. They constantly change their methods and avenues of attack, making it difficult to detect and easy for the user to give up something valuable. Attackers have also started targeting people from all levels of the organization, their customers and even partners. Simply visiting a poisoned site is all is needed now to create havoc not only on your computer but also to the associated shares tied to your account. These typosquatting attacks are typically sent via fraudulent e-mails that appears to come from a legitimate sender. E.g. a spoof e-mail from CEO to CFO requesting fund transfer. These attacks and its variants have to be looked in a broader sense. These attacks, even if it is on a single user, could be a gateway to further attacks at the organization level like domain spoofing, look alike domain spoofing, data leak etc. Despite training and education there will always be users who will invariably click on a bad link. Therefore, it is important that we have a security system in place where you could easily find and stop imposter threats, automatically analyze contents and URL’s and have the ability to keep sensitive information within the confines of the organization when something goes wrong.

In addition to making investments in technology that supports security, organizations should extend the investment to train and educate the users to create a more security conscious environment. Considering today’s mobile workforce with ready access to e-mail any time and any place, the possibility of an end user exposing to a questionable e-mail is quite high. Cyber criminals have realized that tricking people than technology will give them better results. By educating the workforce, you are minimizing the human error responsible for data and security breaches. These trainings should not be just a check-box requirement for compliance purposes rather they should focus on creating awareness about “everything security” within an organization. This includes understanding the right security practices, actions to take if exposed to a security risk, simulation attacks on e-mails etc. These trainings could be made more appealing by incentivizing participants and rewarding good behavior. During a simulation test, if users click on a phishing link, rather than shaming them one should make them feel like being part of a stringent internal security controls. Once you achieve that level of acceptance and awareness, end users could be the solid line of defense against e-mail breaches and be a critical component to e-mail security by being the human firewall.

To summarize, e-mail protection should not be just restricted to securing the e-mail gateway or having an anti-spam/anti-virus solution. The security protection should be on multiple layers with each layers acting as a safety net when things go wrong. If history is any indication, the volume of attacks on e-mails will only go up and the level of sophistication will only rise in the future. An organization can face these discouraging trends only by adopting a comprehensive security approach, which should include resiliency, fraud protection and a human firewall.

Check this out: Top Web Security Solution Companies

See More: Top Security Consulting/Services Companies

Read Also

Teleworking and the security risks of freemium messaging apps

Teleworking and the security risks of freemium messaging apps

Adam Such, Chief Operating Officer, Communication Security Group
A Brief Overview Of Revenue Management Systems In Hotels Today – What To Look For

A Brief Overview Of Revenue Management Systems In Hotels Today –...

Brian La Monica, Director of Revenue Management, YOTEL
A Front-End Preventive Approach To The Revenue Cycle Contributes To A Positive Patient Financial Experience

A Front-End Preventive Approach To The Revenue Cycle Contributes To A...

Deborah Vancleave, VP of Revenue Cycle, Mosaic Life Care
Integrating Revenue Cycle Data With The Patient Record

Integrating Revenue Cycle Data With The Patient Record

Patti Consolver, Senior Director, Patient Access, Texas Health Resources
Opening The Door To Patient Access And Scheduling

Opening The Door To Patient Access And Scheduling

Carrie Rys, MBA, Assistant Vice President of Pediatric Ambulatory Operations,
People Solutions > Tech Problems

People Solutions > Tech Problems

Jonathan McWilliams, Director, Revenue Operations - Digital Properties, Viacom