The ubiquitous application is the attackers' universal vulnerability
Over the past two decades, email has rapidly and firmly edged its way into becoming the most popular, most accepted and most basic means for business communication. That is both good news and bad.
Sure, social media has had a growing impact over the years. Marketing managers increasingly tweet about corporate successes, an executive might crow about their company on Facebook or post Instagram pictures of happy customers enjoying their products or services. But when it comes to one-on-one or group internal communication, employees from the frontline to the C-suite and the boardroom still favor a tried and true email.
Despite on-going communication advances, email is not likely to leave its vaunted perch any time soon. The number of emails sent worldwide each day is expected to jump from 269 billion at the end of 2017 to nearly 320 billion each day by 2021, according to Statista. As of this year, approximately 124.5 billion business emails alone are sent and received every day, according to technology market researcher Radicati Group, Inc. By the end of 2019, every business user is expected to send and receive on average 126 emails per day. But it is email’s popularity, its constancy, its ubiquity and its simplicity that also makes it the prime target for cyber ne’er-do-wells that recognize email as the easiest and most effective route for them to plant malware, worm their way into a corporate network or trick unsuspecting employees to misdirect funds into their coffers.
In 2016, Symantec reported that one in every 131 emails contained malware. And the success and proliferation of massive malware campaigns, including ransomware hijacks, in the intervening months likely means that these threats have only shot upward — especially in regard to the enterprise email user. While enterprise IT security groups, and even mainstream users, have been made increasingly aware of the threat of phishing or more targeted spear-phishing emails, enterprises big and small still find that there is often some employee willing to open an attachment or click a link, even if the request or the source seems questionable.
“Phishing remains the number one [security] threat to most companies,” says Quinn Shamblin, the chief information security officer for Eden Prairie, Minn.-based Optum Technology. “At most companies, the easiest way around the security is to send someone an email.” Shamblin, who previously worked in IT security leadership at Procter & Gamble, Boston University, and UnitedHealthcare, says that while a wide range of technology products are emerging to help enterprises like his suss out the bad actors, technology alone is not enough to beat back the constant assaults.
“Email security capabilities at the gateway do a good job of holding back the ‘commodity-style’ attacks,” he says of more simplistic and broadly aimed phishing emails. “But [these tools] are not as good when emails target specific groups.”
Michael Osterman, president of Seattle-based Osterman Research Inc., agrees, “The situation is bad and getting worse. Phishing has become common. And business email compromise is very serious.” He agrees that technology offerings are improving — evolving to even review the writing style within the email itself to see if it matches up with the executive who purportedly wrote it — but they will not block all the threats.
“The bad guys are always studying and reverse-engineering,” Osterman says. “This is always a game of cat and mouse. On balance, the bad guys are gaining an edge because there’s so much money behind them.”
And of course, there is at the core of these email-aimed attacks, the most basic and exploitable vulnerability — the sometimes naïve, eager-to-please and often overwhelmed human employee. As Microsoft’s president and chief legal officer Brad Smith reportedly summed it up while speaking in 2017 at a corporate conference, “Every company has at least one employee who will click on anything. Part of what the security challenge involves is protecting people from themselves.”
The upshot of all this, says Nick Hayes, senior analyst at Forrester Inc. of Cambridge, Mass., “It’s still a world of hurt for security pros today. Despite the huge investments into a variety of email security tools from email security gateways to phishing simulation testing, email threats remain a top area of exposure for companies.”
Sophisticated and targeted phishing attacks have in turn given rise to more pervasive and damaging malware attacks and cases of business email compromise, where the fraudsters pose as a corporate executive or business partner in order to coax unsuspecting employees to send them funds or information that they can resell for a profit. And no organization is immune, no matter how secure they believe their systems and policies to be. Case in point: Austrian aerospace and defense giant FACC AG, which sells equipment to Airbus and Boeing, lost $54 million two years ago to a business email compromise scam. The CEO and the CFO were fired as a result.
And, perhaps even more surprisingly, it is not always the big institutions, large banks or defense contractors or hospitals that are under threat any more. Bad actors are diversifying. Real estate-related businesses — from real estate brokerage sales staffs to buyers and sellers and from title companies to law firms — are increasingly becoming targets aimed at getting them to share account information or other personal data that could be monetized. Real estate scams increased 1,100 percent from 2015 to 2017, with losses increasing 2,200 percent during that time.
Perhaps even more damaging, phishing can lead to ransomware attacks, when an enterprise user opens an email-based attachment that unleashes malware in the corporate network that locks up essential files, systems or even access to vital equipment. The healthcare industry has been particularly ravaged by ransomware, going back nearly three years to the highly publicized “Locky” attack on Hollywood Presbyterian Medical Center. After the Los Angeles hospital was forced offline for more than a week, the hospital management gave in and paid its attackers $17,000. Not long after, Methodist Hospital in Henderson, Ky., came under attack from “Locky” hackers, which prevented doctors from accessing patients’ medical records.
Chris Greany, managing director and group head of corporate security investigations and insider threat at Barclays in London, says that he is not sure that “the landscape of threats has changed that much in the past year. What I have seen change is how people respond [to try to] understand more quickly what’s going through the network.
“There’s a greater appreciation of security awareness,” Greany adds, “and making sure their employees understand what not to press or click.”
Changing the culture, one email at a time
Perhaps the greatest challenge for organizations, in trying to stem the rising tide of email incursions, is “just keeping ahead of it, every day,” says Greany.
Indeed, as malware-as-a-service (MaaS) offerings evolve, a less-skilled but large base of wannabe hackers are coming out of the woodwork to “have a go” at email-oriented attacks, says Greany, just as the better funded and more talented organized cybercriminals are becoming more creative, and effective, with their more targeted assaults. “We need to make sure everyone is getting the same learning, the same training,” Greany says.
Dan Lohrmann, the former CISO for the State of Michigan who now heads a security consulting firm, believes that imbuing a culture of security throughout an organization is critical as a foundation to security awareness training, especially around the use of a tool as fundamental as email. “It really starts with the culture of the organization,” says Lohrmann. In his state CISO role, Lohrmann says, he served under Gov. Rick Snyder, the former CEO of Gateway Computers, who was instrumental in helping his organization become more knowledgeable about potential cyberthreats.
The converse, Osterman points out, is when an organization has “a corporate culture where the CEO cannot be questioned at any time in any way,” email scams will flourish because the employees will have no opportunity to consider the validity of communication and their response. “And that’s death to security awareness,” Osterman adds. “Informationsharing is critical, as is a higher frequency of training… Organizations need to keep those new threat vectors front and center.”
Support from the uppermost echelon of the enterprise is crucial, Osterman agrees. “The biggest challenge to security awareness is often just getting attention of the senior management,” he says. While the seemingly daily headlines regarding cybersecurity breaches, especially those that begin with an email, have helped make “board-level discussions about security awareness more common and [put] more CISOs on the board itself,” Osterman says, it is increasingly important that all the employees come to recognize that security precautions “are not just an IT thing.”
Since October kicks off cybersecurity awareness month in many parts of the working world, Greany and his team at Barclays are overseeing a “global cybersecurity road show” — offering a host of inperson and online trainings, webinars, and other events aimed at helping everyone throughout the widespread global banking organization become more aware of better security practices and potential threats.
“We want them to know this is really everyone’s responsibility, that they’re part of the overall fight,” he adds. “Whether you’re in the boardroom or the branch, there should be an understanding that when something comes into your inbox, you need to know what it is before you respond or act on it.”
In the case of Barclays, Greany says that attendance at many if not most of their security events is “not mandatory, but it is expected. We want people to willingly participate — and that means selling it to them in the right way.”
For the U.K.-based bank, that means emphasizing the overall benefit an employee will derive in not only being “part of the team” that keeps their company secure, but also letting them know that this education will benefit them in their personal life, he notes. Since spam, malware, and phishing are not limited to enterprise users, cybercriminals often target personal emails as well, Greany says that employees are learning that they can take home the awareness and the practices they learn at work.
“People want to come along for that,” he adds. “Safe at work, safe at home.”
As is oft pointed out by IT security experts, few employees will come to a lasting awareness about security if their only training is a once-a-year “death by PowerPoint” lecture. Echoing other security insiders, Hayes agrees that email security awareness is about “ongoing prioritization and maintenance. Email security requires a multi-pronged approach to prevent, detect, and respond to email threats prior to and at the point of execution.”
Since the cybercrime market evolves even more quickly than the products and practices aimed at stopped it, Hayes adds, “It’s difficult for security teams to adapt as quickly as threats shift, especially given the range of devices, applications, and points of ingress at attackers’ disposal.”
“Security awareness reduces your risk exposure,” Hayes continues “It doesn’t mean you’re 100 percent secure, but that your people are less likely to click on a malicious link. Until security teams can guarantee a phishing or otherwise malicious email will never hit users’ inboxes, security awareness will remain critical. I think we have quite some time before that.”