The idea that people are the last line of defence against email fraud and can be trained to spot impersonation attempts, both misunderstands email security and misallocates responsibility for it.
It's a problem that can only be solved by using technology to improve what is, and always has been, an inherently unsafe communication method, by removing threats and halting fraudulent attempts before they reach the end user.
From a security perspective, email is vulnerable on multiple fronts. Typical scenarios play out in depressingly familiar patterns. A cyber-criminal will send an email to an employee that, for all intents and purposes, looks like a legitimate message from an internal stakeholder or external supplier. Maybe it'll request a change of payment details. The recipient – who could be a junior-level employee, a member of the finance department, or the CEO – receives a convincing missive from an account that looks authentic, obliges their request and thinks nothing of it.
It sounds simple enough, but it's very hard to avert this kind of attack. Training end-users to spot these attacks is a common approach, but it's an unfortunate fact that any user training scheme is out of date from the moment it's implemented. During beta testing, Corvid's Pernix Email Protection tool found that one client with 1,000 email accounts faced a total of 139,136 impersonations attempts, 80,148 samples of malware, and 1.4 million spam emails – in just three months. Cyber-criminals are always hard at work, devising new ways to compromise email security. Asking the average employee to keep up with them is asking too much.
Protecting insecure systems
Technology offers more effective protection for email systems. Static and dynamic analysis, paired with supervised machine learning, can see harmful links, macros, and scripting in a message far more easily than an end-user can. Parsing mechanisms can spot illegitimate URLs, preventing users from wrongly clicking on dangerous links. These solutions are purpose-built to anticipate and prevent attacks, and this is precisely why they work.
The assumption that email is safe is borne of its popularity, its usefulness and its longevity. None of these metrics are particularly valuable for security purposes. Technological issues must have technological solutions: when an analogue approach is taken for a digital problem, the result is often disastrous.
It's a mistake to underestimate the cunning and adaptability of modern attackers. Cyber-crime is not a matter of intelligence, age, attentiveness or competence. Perpetrators do not care about their target's level of computer knowledge – they go after everyone and anyone, from the C-Suite to the ground floor, and they often succeed. They evolve their tactics and they adapt to bypass new countermeasures: a human being can try to keep up, but if they succeed, it will only be at the expense of their other job duties. A cyber-criminal only has to get lucky once.
Email protection systems take luck out of the equation. They identify attack vectors and move to address any new problems that arise automatically. Working in tandem with large training sets, algorithms can help systems learn and improve through experience. In terms of protecting data and profits, they are far more effective – and more inexpensive – than other methods. Smart businesses know where to allocate their resources. Those that invest in proper email security protection systems seldom regret it.
Contributed by Nick Yarham, Client Engagement Manager at managed security provider, Corvid
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.