Organisations worldwide have moved to cloud email to realise the benefits of increased productivity, collaboration, and extensibility.
Unfortunately, attackers are now taking advantage of the open, connected nature of the cloud to carry out new cyber-attacks – using social engineering tactics to trick users into inputting credentials, sending money, and providing access to confidential information.
As a result, while it is often overlooked, email is still one of the most important channels to protect. Understanding what types of attacks modern organisations face and how to defend against them is the first step.
We invited a group of CISOs, data protection officers, heads of security operations, and security managers to discuss their experience with email security, and more about:
- Shifting emails to the cloud
- Securing emails with technology and education
- The evolving threats facing email security
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
Email in the cloud
Emails have long been an essential part of business communication. Even as new forms of communication take root, emails continue to be invaluable to modern organisations. The cloud can bring new life to emails, offering greater ease of use and potential for collaboration, but alongside this comes a risk criminals are all too happy to take advantage of. The panel of security experts we spoke to were all leveraging the benefits of cloud email systems but were quick to point out the challenges with shifting to the cloud and keeping it secure.
Shifting to the cloud
With emails having been so rooted in business for so long, any transition to the cloud comes with a significant amount of legacy challenges to overcome. Depending on the size and age of an organisation, shifting to the cloud can be a painstaking effort of creating tools to work around problems and slowly segmenting existing emails out before being able to move everything across onto the cloud.
To complicate matters, some organisations may find their move to cloud bound by global regulations. If a business has decided to move into the Google Workplace suite and takes steps to do so before finding out that one of their territories has regulations preventing the use of it, organisations can find themselves either split between multiple cloud email systems, or facing a costly rollback. There is no easy way into the cloud, every step must be meticulously strategized.
Despite the challenges, it’s not all negatives – our panel emphasised the value of cloud email over the complexity. They had also found that as more and more users were shifted over to the cloud, the project gained momentum and support as users embraced the speed and ease of use. Other benefits cited included easier security implementation, greater visibility, easier recovery, and easier access. Of course, not every organisation wants to take on the complexity of the cloud, but when a security incident knocks out emails for days on end, the complexity of the cloud rarely continues to be a roadblock.
Security in the cloud
One of the benefits of the cloud is that security features are often embedded in the solution. However, it is easy to think that just because security tools exist, that your cloud email system is secure. A recurring message from our panel was that when it comes to security, you can never be too protected. Multi Factor Authentication, mail gateways with active tagging, Data Loss Prevention rules, Cloud Access Security Brokers – all of these tools will go a long way to ensuring that no sensitive data is leaving through emails, and that as many dodgy phishing emails are being caught in your net before they reach your users.
Plenty of tools exist to augment existing security strategies, but one thing our panel of security experts stressed is that it doesn’t matter what tools and technologies you have in place, they won’t mean much in the face of human error. Given the inherently human nature of email communication, security needs to be as much about people and processes as it is about technology. All it takes is for one user to click a dodgy link to bypass all the technology you’ve put in place. Ensuring that staff are trained and educated with processes and procedures in place will go a long way to mitigating that risk. But even then, cyber attackers are always levelling up their game and playing the people is just a new challenge for them.
Social engineering
Phishing, spear phishing, and whaling were all top priorities for our panel. Large cybercrime organisations have the ability to inundate organisations with tens of thousands of emails a minute, all designed to get just one user to mistakenly click a link or thoughtlessly pay an invoice. A lot of the attacks they had seen played on human elements such as fear and urgency “you have to open this ASAP”, or excitement “here is information about your bonus”. Once the attackers have received a response, their phishing campaign transitions to spear phishing.
Social engineering attacks are rapidly evolving in both plausibility and complexity. One of our panel had seen an attempt involving two attackers, one posing as a law firm trying to get an invoice paid, another posing as an executive giving the go ahead. Attackers will research everything they can about potential targets and quickly learn to mimic reasonable communication by emulating tone of voice and even understanding when and how organisations might communicate.
These less technical, more personal forms of social engineering attacks are harder for technology to recognise and respond to. In these instances, user awareness and education are critical to avoiding disaster, but don’t neglect good tooling. The more educated your users are, the more likely it is that security teams will quickly find themselves overrun with people asking if this suspicious email was a phishing attack, or even worse, sending phishing attacks to their colleagues to ask them! Taking advantage of technology to detect these emails before they hit the inbox is going to vastly improve email security risk posture as well as security workload.
Third party risk
Even if a business has done everything right, they are not immune to risk. Modern businesses don’t operate in a vacuum and it’s these connections to third-party partners that most concerned our panel. There is not a huge amount that can be done if attackers get to you through someone else’s system. Mitigating third-party risk is about careful vetting and mutual collaboration.
When carrying out third-party risk assessments, do your due diligence. More risk averse organisations are stipulating that their suppliers need to evidence that they meet certain security standards like Cyber Essential Plus, ISO27001, and ISO9001. Cyber insurance companies are cottoning on to the risk as well and will often offer reduced premiums for partnering with certified secure suppliers. Where smaller vendors can’t compete, organisations should be taking on consultancy roles and supporting smaller suppliers in improving their security, we are all on the same side after all.
The need for cloud email security
If the stats are clear about anything, it’s that emails will continue to be frontline of cyber-attacks for the foreseeable future. As such, organisations need to work tirelessly to stay abreast of ever-changing threats. Tools exist to help and sharing this load with external security providers is no longer an option, but a necessity. Shop for tools that suit the needs of the business, but our experts all agreed that AI and machine learning as a means of reinforcing automatic detection and response are proving to have the most impact.
With tools in place, businesses need to turn their attention to their staff. All the tools in the world mean nothing in the face of an uneducated workforce. Users need to be educated and empowered to understand and respond to threats. A determined attacker will always find a way past whatever defences you throw at them, but even just locking the doors and training staff not to open them to anyone can go a long way to preventing the worst.