This year's Security Awareness Month theme — "See Yourself in Cyber" — was selected by the Cybersecurity and Infrastructure Security Agency to reinforce cybersecurity as a people priority: anchored in partnership, education and individual accountability. This article is part of a series focused on the people considerations of four key pillars of infosec enablement, as noted by CISA's 2022 Awareness campaign: enabling multi-factor authentication, using strong passwords, recognizing and reporting phishing, and updating your software.
Nearly 30 years after the internet first became widely used, and despite recent security innovations, email messages continue to present a major threat to organizations. In a recent survey, two-thirds of IT professionals named email as the top risk for data loss. Here's how to prepare for an email security incident, and how to properly respond.
Protect yourself with email security best practices
Widespread email threats such as phishing, business email compromise (BEC) and malware delivery can never be fully prevented because all three depend on fooling the end user, and someone can always be fooled. But you can greatly improve your chances of preventing successful attacks by following a few simple guidelines.
- Use repeated, dynamic next-generation training to instruct your staffers on how to recognize and reject bogus emails and potentially harmful attachments and web links. Make such training part of the onboarding process.
- Set clear email security policies for employees, including rules for password creation and reuse, and make sure that company executives support and follow the policies.
- If you're using your own email servers, continuously back them up offsite — or consider a cloud-based email solution.
- Use modern authentication protocols, including non-SMS-based multi-factor authentication, preferably following Fast Identity Online (FIDO) standards
- Implement modern email-verification technologies such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
- License and deploy security technology such as an email security gateway, endpoint security software, and a data-loss-prevention tool.
- Integrate and orchestrate email-security tools with organization-wide security platforms such as an extended detection and response (XDR) solution. Investigate the latest advancements in security software and deploy the upgrades you can afford.
"Email security incident response must be integrated with other preventive technologies to not only close the loop on prevention but to also stop new threats from hitting the mailbox should they be able to bypass gateway controls," wrote Eyal Benishti, CEO and founder of email security provider Ironscales in 2019.
Formulate an email incident response plan
Once your organization is following email security best practices, it's time to create an incident-response plan in case of an email security event.
"Having a robust and well-tested incident response strategy can go a long way toward minimizing the effects of a potentially devastating email attack," wrote Toni El Inati of Barracuda Networks in August 2022.
- Make the plan available to everyone who needs to use it, and document everything that the security team will need to do in case of an email security incident. The plan should delineate assigned tasks, incident workflows, and notification and reporting requirements.
- Run simulations of an email attack and incident response with your security team.
"A companywide incident-response plan (that includes notifications, responsibilities, response and mitigation workflows, reporting, etc.) must be regularly tested and updated," wrote Candid Wüest, vice president of cyber protection research at Acronis, in June 2022.
- Consider deploying an incident-response platform that will automate routine monitoring and speed up escalation in case of an event. Bonus points if the platform uses AI to identify polymorphic email attacks.
"Organizations that simply try to 'predict' these attacks based on yesterday's news will always fall behind," wrote Benishti.
Speed matters in email security
If and when an email security incident does occur, make sure to act swiftly so that the attack will not continue to spread.
"It takes less than 80 seconds from attack detonation until the first lure is clicked," said Benishti.
- Identify exactly what kind of attack is taking place and how widespread its impact might be.
- Remove suspicious emails from user inboxes, track down potential loss of data, examine endpoints for malware and reset user passwords if necessary.
"The security team should also work to extract threat details from the malicious email and identify all affected users," wrote El Inati.
- After the threat is neutralized, follow up by examining how it got in and how you can prevent the incident from reoccurring.
Organizations should "leverage email security incidents to address vulnerabilities and finetune policies," wrote Wüest.
"Effective email security incident response requires more than basic search-and-delete capabilities," wrote Benishti. "It must be integrated, automated, built on machine learning and have the ability to better predict threats before they reach the mailbox."