Johannesburg, 16 May 2016
IT security experts are feeling increasingly unprepared and too out-of-date to reasonably defend against e-mail-based threats, with a late 2015 survey finding that only 35% of its respondents were confident of their preparedness to deal with e-mail attacks, says Simeon Tassev, Director and QSA for Galix.
The global study, created by Mimecast and March Communications, surveyed 600 IT security decision-makers - 200 from the United States of America, 200 from the UK, 100 from Australia and 100 from South Africa. The focused on companies' level of e-mail security, IT preparedness and confidence in defending against cyber threats, as well as past experiences with data breaches and e-mail hacks.
It found that of the 65% of respondents who felt unprepared against e-mail attacks, almost half had experienced such attacks in the past. Yet, despite their history dealing with the issue, they felt no more protected after an attack than they did before.
These findings are disconcerting in view of the fact that e-mail is a vital tool in business and yet, while we might appreciate the danger it poses, many companies are still not taking strong enough measures to defend against e-mail-based threats. One-third of the respondents of the Mimecast study also believe e-mail is more vulnerable today than it was five years ago.
Popular attacks
Phishing, whaling and ransom are the three most popular attack methods. In phishing, the attacker sources confidential information such as user names, passwords and credit card information by means of mass electronic communications to potential targets. The mass mailing appears to be from a trustworthy source, such as a financial institution.
A Whaling attack is where specific individuals who perform strategic tasks within in a company are targeted in a more structured way for maximum financial gain. A whaling target may receive an instruction from what seems to be a trusted source, like the chief executive officer or a known customer, urging them to make a payment to a fabricated invoice. The attacker counts of the target doing what seems to be their job and fulfilling the request. Targets may include prominent and wealthy personalities, senior executives in global enterprises, and commonly, financial institutions.
Ransom is where attackers infect the target's network with a virus and then threaten to destroy the company's data or to publicly release confidential client data unless the company pays a specified amount or do a certain task. The recent spate of data leak stories in the media to show how well this tactic is working for attackers.
Why e-mail remains vulnerable
Most companies have e-mail security controls in place. However, the lightning-fast evolution of e-mail attacks, the ubiquitous need for e-mail in business and human factors mean that traditional IT security protections are not nearly enough to protect them.
Fast evolution of attacks
The ransomware development trend is a good indicator of how fast malware is being developed. To illustrate, the popular Cryptowall ransomware was first seen in March 2014. The next version was released six months later, with the third version released three months later and the fourth version released after only months.
Clearly the time between updates has been getting shorter, indicating that companies must adapt more quickly to deal with current threats and prepare to deal with threats they don't even know about yet.
Bring-your-own-device policy bites
The popular policy for employees to use their own devices, such as smartphones, for portions of their work poses a great risk to e-mail security. While the policy reduces the employer's investment in hardware, the traditional way of controlling employees' e-mail fails, as it becomes harder for the employer to control what employees can do on their own devices.
Employees a big security threat
Employees are also prone to click on unknown e-mail links and attachments on their devices, providing a gateway for viruses into the network. Unfortunately, it's difficult for companies to quash this practice, as the Basic Conditions of Employment Amendment Act of 2011 provides that an employer needs to take certain remedial measures before firing an employee.
To counter this vulnerability, companies need to not only put clear e-mail security measures in place, but to ensure that employees are fully aware of what they can and they can't do with their e-mails, the consequences of risky behaviour on the company's data and any punitive measures the company may take. This acts as a deterrent for employees who wilfully disregard the company's IT security measures by claiming ignorance.
Key strategies
E-mail security should be customised to fit the way e-mail is used within the company's operations. However, there are some basic principles that apply across board:
C-suite involvement critical - E-mail attacks are not just an IT problem; they can harm the entire business. And while e-mail security was traditionally the province of the IT department, the growing risk it represents to the business means that the company's CEO, COO and CIO need to be strongly engaged with security initiatives and to collaborate to ensure that the business is adequately protected.
The Mimecast research supports this view. It found that the top 20% of organisations that felt the most secure against e-mail attacks were also 250% more likely to see e-mail as their biggest vulnerability. It also found that confident IT security managers were 270% more likely to be from companies whose top executives very engaged in e-mail security.
Adopt zero-day approach - IT professionals need to start talking more about zero-day (0day) approach to e-mail attacks, where IT security prepares not just for threats they have previously come across but for unknown attacks. The 0day refers to the amount of time the company has to respond to a newly discovered and/ disclosed threat.
Install filtering and end-point tools - filtering solutions are the first level of defence against e-mail attacks. This involves the installation of a program that scans all e-mail for threats, spam and viruses, filtering e-mail in the cloud or, if the e-mail server is on the premises, via a firewall gateway. These systems now also scan attachments for malware and validate web links to prevent phishing attacks.
End-point protection must also be installed on all employee devices, including personal devices that have some overlap with business functions. E-mail protection also includes protection against human error. Such errors include sending a confidential e-mail to a group rather than an individual. This ensures that confidential e-mails are sent targeted to recipients who hold a qualifying security level.
Share