Emails are becoming increasingly dangerous for cyber security risks.
About 200 billion emails are sent every day, but because of its importance email is constantly exploited by attackers – yet is often overlooked in cyber security strategies
From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.
The General Data Protection Regulation (GDPR), set to come into force in May 2018, is designed to protect European Union (EU) citizensí data, and organisations that want to operate within the EU will be expected to comply with it.
Section 2 of the GDPR states that organisations must ìprotect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal dataî.
The European Commission defines personal data as ìany information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computerís IP addressî.
This regulation of greater email protection arrives shortly after the WannaCry and Petya cyber attacks. Despite emails being used regularly, they remain vulnerable to attack, both as a target and as an attack vector.
Several malware families, such as Emotet and Trickbot, have recently added functionality that enables them to spread via email. Emotet, for example, now has the capability to steal email credentials from infected computers and use these to send out emails to spread itself further.
The dangers that organisations can expose themselves to through unsecured email accounts are often more than just compromised emails. Financial account information can be leaked, ransomware and viruses can infect networks, and reputational damage can occur from hacks being disclosed. This disclosure will become mandatory under the GDPR.
Developing a security policy for email can be relatively simple, and a natural first step for bringing organisations into alignment with GDPRís requirements. However, a companyís email security protocols are only as strong as the employees who use them.
Email cyber security risks
Anti-virus filtering should be used on all email traffic.
Although this will not be a complete solution in itself, it will remove much of the background noise – the easy-to-spot threats -allowing security teams to focus on the more sophisticated attacks. Organisations should also consider using a secure anti-malware proxy or next-generation firewalls.
Some organisations may want to consider whitelisting or blacklisting filters for managing their email security. With whitelisting, only known, trusted email sources are allowed through; with blacklisting, all but the known, malicious email sources are blocked.
Whitelisting offers more protection, but it will inevitably block some important emails, which can cause frustration for employees.
Some organisations have gone as far as to block all attachments, which is effective in preventing malicious attachments, but naturally has consequences.
But there is no such thing as 100% security.
Organisations need to educate their employees in how to spot fraudulent emails and raise awareness of the dangers of malicious emails.
To engage the participants, this education should be easy to understand and should not rely on technical jargon. Staff should be positively encouraged to report suspicious emails and given feedback about any emails reported. Not only will this allow the security settings to be updated, but it will also educate staff further.
It is also vital to tailor the message to the particular audience. For example, telling an HR department not to open attachments from external addresses will not work, because they deal with people who are applying for jobs.
Following recent incidents of leaked emails, many organisations are now encrypting emails, installing encryption protocols as add-ons to existing email apps.
Not only do these systems rely on end-to-end encryption to secure their content, but some also ensure compliance with the GDPR. ìThere are hundreds of email security or encryption services, but we have found customers need verifiability, which is in high demand because of GDPR,î says Kurt Kammerer, CEO of Regify.