Email is still the top security stress point for organisations, according to a recent Email Security Risk report from Egress. The report is focused on inbound and outbound threats in Microsoft 365. It delivers some worrying statistics for anyone in charge of cybersecurity.
The headline number is that 99% of cybersecurity leaders confess to being stressed about email security. That comes despite the vast amount of work Microsoft has put into making Microsoft 365 secure and trustworthy. Two other statistics show the scale of the problem. 98% say that one of the main frustrations is their Secure Email Gateway (SEG). Why? 53% concede that too many phishing attacks simply bypass it. It raises the question of what is the point of a technology that is less than 50% effective.
Jack Chapman, VP of Threat Intelligence, Egress, says, “The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed. The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead.
“They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”
A set of disappointing statistics
The report makes for bleak reading regarding the security around email. It is full of damning statistics about the impact of phishing on organisations. Those impacts are not just to the organisation itself. It is impacting customers and, more importantly, staff.
Some of the statistics included in this report are:
- 92% of organisations were victims of successful phishing attacks. The top three attacks were malicious URLs or malware attachments, social engineering and supply chain compromise. The latter is the attack that is causing the most concern.
- 85% of account takeover (ATO) attacks started with a phishing email. The widespread use of Microsoft makes credentials for Microsoft accounts valuable. Many security teams will worry that in 83% of successful ATO attacks, multi-factor authentication (MFA) was bypassed.
- 86% of companies say outbound email incidents have seriously impacted the business. Of those impacted, 54% suffered reputational damage, 41% disciplined an employee, and 31% suffered loss from customer churn.
- The most worrying statistic, especially for SMEs, is that 68% of companies had to cease operations. However, the report didn’t say if this was temporary or permanent.
Getting a more detailed look at some of the details
To get a more in-depth understanding of some of the issues, Enterprise Times spoke with Chapman about some of the headline issues. Chapman believes there is a greater emphasis on phishing because organisations are getting better at other security areas. By making it harder for other attacks, cybercriminals are turning to a tried and trusted attack approach.
Chapman believes there are reasons for the increase in phishing targeting account takeover (ATO). One is the regular takedown of cybercriminal infrastructure. Another is that the cost of building that infrastructure is high. It means that attackers see account takeover (ATO) as a more cost-effective way of launching attacks.
Microsoft is the key platform that attackers are after, given its dominance in business usage. It has done a lot to make attacks harder over the last few years. However, as Chapman commented, “it is the unfortunate, often unsaid truth that if a phisher can’t get past Microsoft, they’re not going to be earning much money.”
Improving user training
To counter phishing attacks, companies have been investing in training and gamification. But is that enough? Chapman said, “people are overly reliant on training as a silver bullet for phishing. The whole point of phishing is that it attacks the behavioural science behind people. If it’s designed to trick people, how can you use training to back that up in and of itself?”
As the report shows, the failure of that training has serious implications for staff. 22% of employees were dismissed, and 18% left voluntarily. That’s a 40% churn in staff numbers and, as the report states, is a major loss of talent. Organisations that only discipline staff for mistakes cause mistakes to be covered up and significantly reduce the speed of response by security teams.
How do we improve user awareness? Chapman says, “we take a different approach to how to address that. We are literally waiting to say, ‘you’ve clicked on this link, and this is where it’s going. If it’s malicious, you can’t continue. But if it’s low confidence, you can override that.’ It tells them why we might think something is slightly off but not high confidence. It’s nudge theory.”
The user is empowered to continue with low-confidence hits, and it can be used as an advanced training approach. It can also be combined with how companies deal with breaches. Users who learn are not penalised, while those that continue to exhibit risky behaviour can be given further advice. The result is that users get better, attacks reduce, and companies don’t have such a large talent churn.
Spearphishing and supply chain attacks
Account takeover often leads to supply chain attacks. One reason is that the attacker can now target all the people connected to the account they control. They can send emails and create conversations as they look to compromise contacts in the supply chain. Chapman says, “the success rate is disgusting, just because it is a trusted contact.”
This again comes back to behaviour. Few people have the time or the knowledge to determine how to detect a fake email. They see the From field as being authoritative. They rarely look beyond that. Take the example of an email from a supplier changing a delivery address or bank account. How often do people go back to an older email, find a telephone number and call to verify the data? And why go back to an earlier email? Any competent attacker will put a fake telephone number in the email they generate in case you ring.
This is where technology needs to do a better job. One reason why it isn’t, according to Chapman, is because “as an industry, we quite often view people, policy and technology as separate. We don’t often talk about it as a blended approach.”
Chapman also believes that a part of the problem is rooted in the cyber solutions we deploy. He said, “if we’re honest with ourselves, most cyber solutions add a lot of friction to users. It makes their job harder.” It’s a valid point. Users will always take the path of least resistance. If we make it hard to report suspicious emails or verify an obfuscated link, people won’t report them and will click on the link. The result is always going to be a conflict between security and users.
How do we improve the role of regulators?
Regulators have been paying close attention to how organisations secure their infrastructure and data. The quantity of legislation and rules has soared over recent years, as have penalties. One of the problems here is that regulatory controls become tick-box exercises for organisations. How do companies avoid that, and how do we engage regulators to do more than blast out more rules?
Chapman commented, “I currently don’t see an appetite to evolve these frameworks quickly, both on the legislation point of view, but also in a more guidance framework, best practice. In part because the bottom bar is still so low for many organisations.
“Look at something like DMARC uptake, which has significantly increased. It’s still only, I think, 55% to 60%. It’s a very basic principle that helps stop all this direct spoofing and everything else. We’re still not there yet it is in a vast majority of basic certifications.”
One of the big challenges for regulators that Chapman sees is the disconnect between the regulator’s view and the threat landscape. While there are industry-wide approaches that can be taken, they must take into account what is threatening individual organisations. Another challenge is where there are multiple layers of regulations because an organisation operates in multiple spaces, such as a hospital which is critical infrastructure and healthcare.
Enterprise Times: What does this mean
As bleak as parts of this report look, one positive can be found. 73% of organisations are now enforcing email security with supply chain vendors. That should begin to reduce the effectiveness of supply chain attacks, but only if it continues to be a focal point.
Email is not a new technology. It has been around for decades. It is deeply embedded in our communication strategies, and despite attempts to use other technologies, it continues to be a mainstay in how we communicate internally and externally. Therefore, it is surprising that so many organisations are still worried about email security.
It is too easy for organisations to blame users for problems. Technology that works with and not against users must be part of the solution. If it isn’t, there is little realistic hope that the problems email presents will go away. It’s time for organisations and technology vendors to take a long hard look at why email continues to be a weak point.