E-mail still a major cyber-security threat to business
IT security experts are feeling increasingly unprepared and too out-of-date to reasonably defend against e-mail-based threats. E-mail is a vital tool in business and yet, while we are aware of the security dangers it poses, many companies are still not taking strong enough measures to defend against e-mail-based threats.
So says Simeon Tassev, payment card industry qualified security assessor at Galix, who explains most companies have e-mail security controls in place, however, the lightning-fast evolution of e-mail attacks, and human factors mean traditional IT security protections are not nearly enough to protect them.
"The ransomware development trend is a good indicator of how fast malware is being developed.
A good example would be the popular Cryptowall ransomware which was first seen in March 2014, the next version was released six months later, with the third version released three months after that. A few months later, the fourth version was released," explains Tassev.
The time between ransomware updates has been getting shorter, indicating that companies must adapt more quickly to deal with current threats and also prepare to deal with threats they don't even know about yet, he advises.
According to a Mimecast business e-mail threat report 2016, 65% of global businesses are ill-equipped to defend against e-mail-based cyber-attacks and only 35% of its respondents were confident of their preparedness to deal with e-mail attacks.
The study, which surveyed 600 IT security decision-makers, found that of the 65% of respondents who felt unprepared against e-mail attacks, almost half had experienced such attacks in the past.
"Yet, despite their history dealing with the issue, they felt no more protected after an attack than they did before," says Mimecast.
Sheldon Hand, SA country manager for Symantec Corporation, says e-mail is still a major cyber-security threat to business because it is the threat vector which cyber criminals use most often to launch and distribute attacks.
"A Symantec Internet security threat report found one out of every 244 e-mails in 2014 contained a malware attack, and five out of six large enterprises were targeted by e-mail-based spear-phishing campaigns.
"Attackers employ sophisticated social engineering tactics to trick users into opening these malicious e-mails, which often contain zero-day or other complex malware designed to evade traditional security systems," observes Hand.
These engineering tactics, he explains, include virtual machine-aware malware that doesn't reveal suspicious behaviour when run in typical sandboxing systems. Detecting this type of malware in your organisation can be difficult and can lead to long remediation times when an infection does occur.
"Although companies are implementing controls and technology in place to prevent infection, the challenge is the attacks are sophisticated and the increasingly difficult-to-detect attacks are changing the security protection landscape and subsequently, the enterprise security posture," he notes.
These attacks occur at multiple different points across the network, making it more difficult for companies to detect and respond to them, he observes.
Phishing, whaling and ransomware, explains Tassev, are the three most popular attack methods used by cyber criminals and employees pose a big security threat to business too.
"Employees are prone to clicking on unknown e-mail links and attachments on their devices, providing a gateway for viruses into the network. To counter this vulnerability, companies need to not only put clear e-mail security measures in place, but to ensure that employees are fully aware of what they can and they can't do with their e-mails," he elaborates.
There should be consequences of risky behaviour on the company's data, and organisations should take punitive measures against employees who don't abide by the organisation's data policies. This acts as a deterrent for employees who wilfully disregard the company's IT security measures by claiming ignorance, advises Tassev.
"IT professionals should also start talking more about zero-day approaches to e-mail attacks, where IT security dedicates time to prepare to combat not just threats they have previously come across but also for unknown attacks too.
"Filtering solutions and installing end-point tools are the first level of defence against e-mail attack," he continues.
This involves the installation of a program that scans all e-mail for threats, spam and viruses, filtering e-mail in the cloud or, if the e-mail server is on the premises, via a firewall gateway, he concludes.