E-mails – life-giving or a death-knell to your business?
The importance of e-mail in business communication cannot be underestimated. Recently, IBM’s annual Cost of a Data Breach Report revealed that 96% of social engineering attacks are delivered via e-mail. From the more than 500 data breaches studied worldwide, spanning different countries and industries, IBM found the average cost per data breach for an organisation was around R64 million ($4.24 million), which is the highest average total cost in the 17-year history of this report, according to IBM.
Charl Ueckermann, Group CEO of AVeS Cyber International, said IBM's report showed the many cyber attacks originating from e-mail phishing attacks and stressed that companies need specific prevention measures to protect their e-mails.
AVeS Cyber Security identified six recurring e-mail vulnerabilities of 2021. To improve your e-mail security, here are the six focus areas:
1. Poor visibility – Tracking and identifying risky rules
Inbox rules are the preconfigured rules in your e-mail client (such as Microsoft Outlook) that do something automatically with e-mail, which usually triggers on the arrival of the e-mail. Malicious users, be they malicious or well-meaning-but-foolish, can use rules that result in harmful incidents, such as:
- Invoice fraud (and other similar scams);
- Espionage; and
2. Accessing e-mails remotely
Once an occupation of a few, remote working has now been thrust on us in 2020 and 2021. As a business model, work-from-anywhere requires updated security measures to protect businesses. Suppose there is not an additional layer of user authentication, such as two-factor (2FA) or multi-factor authentication (MFA) (multi-factor authentication being more secure) configured on your e-mail platform. In that case, attackers can easily gain access to your e-mails from anywhere in the world if your credentials have been compromised. Shared mailboxes do not need an additional layer of authentication if the users who have access to them have MFA or 2FA enabled.
3. Lack of user awareness and training
Employees remain the biggest security vulnerability for e-mail attacks, as they unknowingly open phishing e-mails, click on malicious links or supply their login credentials to fraudsters. User awareness programmes should be ongoing and continuously test and train users on how to work with e-mails securely.
4. Breach of admin accounts
In managing and monitoring security configurations, admins often overlook the basics around user privileges on the company’s systems, including e-mail systems. E-mail systems' user accounts and permissions need constant attention as people continually join or leave the organisation or change their day-to-day roles. The following issues can occur:
- Too many admins;
- Shared admin privileges or passwords;
- Admin accounts are not linked and centrally managed by one user;
- Clean-ups of old accounts are not managed properly; and
- Admins that require e-mail accounts do not have a separate, non-admin account for their work e-mails.
If admin accounts are breached, attackers can have full control over your e-mail platform.
Because auditing user activities is a necessary security practice as users can sign in from practically anywhere, Microsoft has provided some helpful auditing tools across all licence bands to provide customers with better visibility of said activities. Microsoft has comprehensive compliance audit templates for international and industry-specific requirements governing the collection and use of data, such as EU GDPR and ISO/IEC 27701:2019. However, auditing is not switched on by default, so it needs to be actively configured.
6. Lack of e-mail security
You cannot rely on the default system configuration of security features since the defaults are generally set to accommodate all kinds of businesses with various security needs; you will have to identify the security gaps and align this to the organisation’s malware policy. For example, domains can be spoofed, meaning an e-mail appears as if you are sending it from the correct domain while it is actually coming from another, fraudulent domain. If you have not configured SPF, DKIM and DMARC on your e-mail domain, you are an easy target for attackers.
Questions you need to ask for a safer e-mail environment:
1: Have you enabled alerts on your e-mail platform to let you know when a rule on a mailbox is added or when a configuration is changed?
2: Do you have any procedures in place to manage e-mail admin accounts?
3: Do you have audit logs enabled on your e-mail platform? (Audit logs are essential for visibility into users' system-related activities, such as their computer's IP address when they log into their e-mails and are crucial to identifying security breaches proactively.)
4: Have you completed any assessments on your e-mail platform’s security configurations?
5: Do you have an anti-phishing solution in place that scans your e-mail platform for malicious e-mails and blocks them?
6: Do you have any ongoing user awareness training programmes in place for all your e-mail users?
7: Do you have any additional layer of authentication, like multi-factor authentication, enabled on your e-mail platform?
Over the past 21-years, AVeS Cyber Security has strategically honed its solutions and services to help southern African businesses future-proof their IT environments against the constantly evolving threat landscape, while achieving their digital transformation aspirations. With a purpose-driven e-mail security strategy in place, organisations can reduce many of the simple mistakes that have huge cyber security consequences, such as an unsecured e-mail platform or staff clicking on phishing links received via e-mail, “ says Ueckermann.
Ueckermann wants to ensure that companies' e-mail platforms and their employees don’t become the weakest links in their cyber security. Companies can get cyber security advice, services and assessments by contacting AVeS Cyber Security.
2021, IBM. “Cost of a Data Breach Report”. Retrieved from https://www.ibm.com/security/data-breach
Retrieved from https://www.ibm.com/security/data-breach