By Jason Soroko, CTO of IoT, Sectigo
According to the FBI, business email compromise (BEC) attacks have resulted in $12 billion in losses since 2013, and global exposed losses increased 136 percent between December 2016 and May 2018, making it imperative for enterprises to protect employees from phishing scams.
Posing as legitimate employees, servers, or devices, BEC hackers utilize email to infiltrate an organization’s digital infrastructure and wreak havoc on its business, potentially resulting in theft of intellectual property and capital as well as damage to the business and brand. Large organizations are frequently targeted in “whaling” scams designed to compromise their considerable resources, and BEC attacks represent one of the most common infiltration methods.
Attackers target weak points in an organization’s email infrastructure using several common tactics, and the scale and sophistication of threats range from simple (but effective) to highly advanced techniques. One widespread technique is typosquatting, which is when the attacker registers a site or email that is a deliberate misspelling of a known domain as means to resemble a trusted source. Scammers will also create fake email chains to make it appear like the recipient is being looped into an existing thread of communication.
The most recent advanced attacks known as “Dyre Wolf” attacks involve both a malware as well as a phone-based social engineering step that is designed to defeat two-factor authentication.
With real and growing implications for enterprises, organizations must implement robust, effective solutions to protect and secure their email data, and the security industry has responded by transforming existing technology solutions to improve both the user experience and protection capabilities. Many companies are increasingly implementing updated, user-friendly Secure/Multipurpose Internet Mail Extensions (S/MIME) technology as a tool to combat cyber threats.
Securing the enterprise with S/MIME
For organizations looking to protect their email from outside threats, S/MIME is a standard for public key encryption and signing of MIME data, ensuring message integrity. The S/MIME capable mail application displays a checkmark to certify the sender of an email, and unless the attacker has the sender’s actual private key, a signature cannot be faked. The solution guarantees the sender of an email, validating that digitally signed emails can be trusted to have come from the stated source.
S/MIME allows the recipient to have confidence in the email data, as the signature certifies that the content has not been altered between sender and receipt. S/MIME’s encryption also adds a layer of defense both in transit and storage. Using encryption at rest protects critical intellectual property from attackers. With S/MIME, organizations are able to protect themselves against both BEC as well as data integrity issues caused by man-in-the-middle attacks.
While S/MIME technology has existed since 1995, recent innovation has evolved the solution to make it more user-friendly, making it easier than ever for enterprises to protect themselves from BEC threats. Past encrypted email solutions required encrypted emails and unencrypted emails to be in two different systems, with different mail management capabilities.
Today’s S/MIME allows users to keep all their emails in the same email application that they prefer. New solutions help enterprises prevent accidental disclosure of the private key by removing the need to provide users with USB sticks for private key storage. Improved technology has moved away from complex implementations of S/MIME that made for a poor user experience in the past. With increased compatibility, S/MIME is no longer made difficult by the usage of non-native email clients, which required users to spell “encrypt” to force encryption in emails and then recipients would be directed to a portal requiring additional authentication to decrypt and print emails.
Improving S/MIME technology for enterprises and end users
With employees accessing their email on multiple devices, delivering secure solutions that are easier for end users is critical. Today, most major mail applications support publicly trusted S/MIME signature validation, with no need for a configuration change. With built-in functionality in the email client, users can simply click a button to encrypt email messages, eliminating work for employees. By making it easy for users to encrypt nearly 100 percent of their emails in the mail server, another layer of protection is seamlessly added in the event the mail system is compromised.
If someone tries to use an untrusted certificate or impersonate an S/MIME certificate, the latest technology will highlight the content as being sent from an “untrusted email/sender,” alerting recipients to a scam. Zero-touch deployment now delivers the key material where it needs to be on both mobile devices and computers with minimal work and without requiring complicated intervention by the user.
Improved S/MIME delivers the same straightforward experience as plain-text email and utilizes the same email repository and search, providing an uncomplicated process for employees while still enabling enterprises to leverage digital signatures to fight BEC fraud. The solution continues to evolve, removing the need for encryption key back up on a USB drive and continuously updating compatibility with mobile devices.
With BEC attacks growing in prevalence and delivering significant financial losses across a wide range of sectors, it is more important than ever for enterprises to adopt effective solutions with sophisticated security features to ensure that their digital correspondence is private and protected. Advances in S/MIME technology continue to make digitally signing and encrypting email communications easier for everyone—particularly end users. With certificates automatically installed into all mail clients, emails seamlessly encrypted and decrypted, and encryption key archives being made more accessible to secure the email gateway, enterprises are well positioned to combat email attacks with S/MIME.
Jason Soroko is the CTO of IoT at Sectigo.