Every business uses email, yet many are unaware of the extent of email security threats.
Types of email security threats
To get some idea of the problem, consider this: in 2017, one in every 131 emails carried some form of malware, such as a virus or ransomware, according to a survey carried out by Symantec. This could be in the form of malicious code that runs if the email is opened. More commonly, the malware is contained in an attachment, such as an office document, that the user is persuaded to open, or it is activated when the user clicks on a link in the email.
Another huge problem is the proliferation of so-called “phishing” emails sent by the millions, and which purport to come from financial institutions or other reputable businesses. These often entice unwary users to click on links to fake web sites and enter their confidential login information, perhaps to a bank account, which is then captured and used by the email’s author or sold to criminals on the dark web.
A more sinister type of threat is posed by business email compromise scams. These usually involve infiltrating a company’s email system and then sending an email from a senior executive’s account to an employee responsible for making wire transfers and instructing them to send substantial sums of money to accounts controlled by criminals. Alternatively, emails may be sent to customers informing them that payment details have changed, and future payments should be sent to bank accounts that they control. More than 400 companies are targeted in this way every day, according to Symantec, resulting in businesses losses of more than $3 billion over the last three years.
The results of an infection can be devastating: lost data, lost productivity, lost customers, and significant financial losses. Shipping container business Maersk has said that falling victim to the NotPetya ransomware cost it between $200 million and $300 million, and globally ransomware is predicted to cost companies in excess of $11 billion by 2019, according to CyberVentures. (Learn more about how to prevent ransomware infections.)
According to eSecurity Planet‘s 2019 State of IT Security survey, email security and employee training are the top problems faced by IT security pros, making this an important area to double down on your efforts.
How to secure business email
Most of the security threats posed by corporate email are sent from outside the organization, enter the company network, and end up on an end user’s computer. That means that there are two opportunities to detect malicious emails: at the point that they arrive at the corporate email system, and as they are delivered to the end user’s computer.
The most common way to reduce the threat of malicious emails arriving at the corporate email system is to install an email security gateway that all email has to pass through first. These gateways can take the form of software running on the email server or a separate server, a gateway appliance, or sometimes they are included in email server software products themselves.
A corporate email security gateway carries out a number of security functions, including:
- Spam filtering: Many malicious emails are sent out in huge numbers, and an effective anti-spam system and regularly updated spam filters can detect these types of emails and prevent them from being delivered.
- Attachment scanning: An effective gateway is connected to a threat detection network that has access to the signatures of malicious attachments within minutes of them being first detected anywhere in the world. That means the attachments that contain viruses or ransomware can be blocked before they can enter the network.
- Link scanning: A link scanner checks the links in any emails that arrive at the gateway to establish whether they have been blacklisted because they are known to be malicious. It can also check the effect of clicking on the link in a “sandbox” or isolated virtual machine to establish whether it is malicious or not before allowing the email to enter the network.
- Blacklisting: This can block all emails from known malicious addresses or domains, or even from entire countries that are often the source of malicious emails.
- Data Loss Protection: Some email gateways can also check the contents of emails leaving the organization to ensure that emails or attachments do not contain confidential or sensitive information that should not be sent via email. They may also encrypt the contents of emails. Such protection may be an important part of a business’s GDPR compliance efforts.
Leading email security gateway vendors (including cloud gateways) include:
- Mimecast (Mimecast Secure Email Gateway)
- Barracuda Networks (Barracuda Spam Firewall)
- Proofpoint (Enterprise Protection)
- Cisco (various, including Cisco Email Security Appliance)
- Fortinet (Fortimail)
- Email Laundry
Although security gateways can provide a significant level of security to organizations through email filtering, they can’t prevent email threats that bypass them and arrive directly at an end user’s computer. That’s the case if an end user accesses an email account on their computer via the web – for example, a personal email account.
Google does a good job scanning the contents of Gmail accounts for malicious content, but with some other web-based email systems this may not be the case.
For that reason it’s important to run endpoint protection software on employees’ computers. This provides another opportunity for viruses, ransomware and other malicious software to be detected in emails and any attachments, and for spam and phishing emails to be filtered out.
For more on endpoint security vendors, see Top 10 Enterprise Detection and Response (EDR) Solutions and our free EDR product selection tool.
Employee email security training
Since no security software is 100% effective, it is important to add another layer of email security protection in the form of employee training. Simple rules that should be taught include:
- Never click on links in emails received from unknown sources.
- Never open attachments from unknown sources. If an unexpected attachment is received from a known sender, an employee should call the sender to verify the contents of the attachment before opening.
- Never follow links to financial institutions contained within emails. Instead, type the address directly into a browser.
- Always consult a senior manager before transferring money on instructions in an email. Business Email Compromise scams often instill a sense of urgency and imply that the sender is out of phone contact but a wire transfer must be carried out immediately without telling other staff members for “reasons of confidentiality.”
- Never connect to the corporate email system from a public Wi-Fi spot without using a VPN to ensure that the link is secure.
Some companies also use services such as PhishMe that send simulated phishing emails to employees to help them learn to spot them. If an employee clicks on a link in a simulated phishing email, they can then be given further training or tips to help them recognize phishing emails in the future. Alternatives include products from Wombat Security Technologies, Phishingbox and KnowBe4. For general training tips, read our guide to cyber security awareness training for employees and our guide to the top employee security training programs.
The threat posed by phishing emails can also be reduced by using the DMARC protocol to verify the sender of some emails. Find out more about how DMARC can improve email security.
Encryption in motion
Email protocols such as POP and SMTP were never designed with security in mind, and in normal circumstances, email usernames and passwords as well as the contents of email messages are sent over the Internet without any form of encryption. That means that anyone eavesdropping on network traffic could intercept these credentials and gain access to a user’s email box, as well as reading any messages that are sent or received.
For that reason, employees should never access email from an open Wi-Fi connection, say in a coffee shop or airport. If the Wi-Fi connection is protected by WPA-based encryption, then the login credentials should be protected from Wi-Fi interception. (Even if the Wi-Fi password is widely known, each user is allotted their own “session key” so other users cannot eavesdrop.)
But Wi-Fi encryption only protects the email credentials (and email contents) in the wireless stage; for the rest of the journey over the Internet, it may be vulnerable. The best way to ensure that any data sent or received from an email server is encrypted from source to destination is to use a secure encrypted SSL/TLS connection if possible, or, if SSL/TLS is not supported, to connect to the email server using an encrypted VPN connection. Both connection types use public key encryption to ensure that any data remains secure in transit.
Encryption at rest
Corporate emails frequently contain sensitive or confidential information, and email encryption using a public key infrastructure is an effective way to protect the contents of these emails from being read by anyone other than the intended recipient after they have been delivered.
At the most simple level, it works like this: an individual makes their public key available to anyone who wants it. To send a secure email to that individual, the sender just needs to encrypt the email with that public key. The only person who can then decrypt and read the email is the individual who has access to the matching private key. In fact most systems work in a way that is slightly different to that described above: they encrypt the email message itself using a symmetric encryption algorithm (which is less computationally intensive than public key encryption algorithms) and then send the encrypted message along with the key, which alone is encrypted using public key encryption.
There are a number of ways to use encrypted email in practice. It is built into common email clients such as Outlook, and can also be enabled in other popular email clients on Windows, MacOS, Linux, Android, and iOS using additional plugin software, which is often built around the OpenPGP standard.
Add-ons are also available for popular webmail services such as Gmail.
The most complicated part of encrypted email usage is key management: ensuring that public keys are readily available, while keeping private keys confidential yet always on hand so that they can be used to decrypt messages without any interruption.
Software such as Outlook handles this automatically so that users can utilize encryption automatically with a minimum of fuss. Before sending and viewing encrypted email messages, the sender and receiver have to share their “digital ID,” or public key certificate. To do this both parties simply send each other a digitally signed message, which enables them to add the other person’s certificate to their Contacts.
Some organizations also used encryption gateway appliances, which apply encryption to messages automatically based on pre-defined policies to ensure compliance with regulations and security policies without having to rely on employees encrypting their emails when they send them.