As businesses across Europe prepare for a second lockdown, we’re relying more than ever on email. Email is the number one way that we collaborate and communicate, even more so as the majority of us have moved from offices into our living rooms and kitchen tables.
But, email is also the number one way that businesses are targeted by cyber-criminals. Data breaches, ransomware and account compromise all commonly start with a malicious email. Email attacks are becoming more targeted, and difficult to detect, especially for small organisations.
One expert who sees daily how dangerous malicious emails can be for small businesses is cybersecurity expert Chris Murray. Murray has over ten years of experience helping small businesses in the UK stay secure against targeted cyber-security attacks. In 2018, Murray co-founded consultancy firm Bleam Cyber Security, a licensed cyber-essentials certified body under THE UK’s IASME and NCSE Cyber Essentials scheme.
At Bleam, Murray works with clients of varying sizes to help them to stay legally compliant, implement cyber-security strategies and, if needed, respond to security breaches and attacks. We spoke to Murray to get his unique insights into the threat landscape, and how your business can stay protected against cyber-attacks:
What Are The Email Threats Facing Small Businesses?
“90% of attacks start with phishing emails,” Murray says. Many of his customers are struggling with targeted phishing attacks, where attackers spend a long time gathering information and doing reconnaissance to better impersonate targets. He gives one example of an attack in which the cyber-criminal was actually forging a targets actual signature, using it across fake invoices to send to suppliers.
Attacks often start out with widespread phishing campaigns, Murray says. But they quickly become very targeted when attackers can get a foothold in the target organization, such as via stolen credentials. Once attackers have these credentials, they will spend a lot of time using compromised accounts to send out fake invoices to suppliers and internal contacts which, if successful, can cost organizations thousands of pounds.
These risks have become even more acute during the coronavirus pandemic, as more businesses in the UK settle into a routine of homeworking. “COVID is a crisis, and attackers will exploit a crisis,” Murray says.
Attackers are using the pandemic to try and make malicious emails more realistic, exploiting the changes and uncertainty caused by the pandemic. But, just as importantly, the massive changes in the way we can connect and secure devices while we work from home are posing new challenges as organizations search for the best ways to protect their data outside of the traditional office environment.
“The traditional network security environment is like a castle,” Murray says. “At the moment, nobody is in the castle, so they’re not getting that same level of protection.”
So, how can you protect your business against these email attacks?
Be Proactive And Use Cyber Essentials
There are typically two kinds of attitude you’ll find when it comes to cybersecurity, Murray says. The first is proactive, and the second is reactive.
Proactive companies typically have a compliance requirement, or want to do the right thing to protect their confidential and customer data. Reactive companies on the other hand, typically won’t think about cybersecurity unless they are affected by an attack or data breach.
Being proactive about cybersecurity threats is hugely important. Murray says that, despite an overall trend for businesses in the UK to be more proactive about protecting themselves, there is still an issue with cybersecurity awareness, particularly amongst small businesses.
“If you look at the UK Government surveys around cyber-breaches, you’ll see that businesses have started to take cybersecurity more seriously at a board level,” Murray says. “But only 13% of UK businesses are aware that the Cyber Essentials scheme exists.”
Cyber Essentials is a government-backed scheme in the UK which covers core cybersecurity controls for businesses to implement in order to protect them from common cyber-attacks. The standard is focussed on prevention, covering key processes such as access controls and secure configuration.
Cyber Essentials is the fundamental that every organisation in the UK should be looking to achieve, Murray says. “If you can achieve Cyber Essentials, you’ll stop 80% of common cyber-attacks from affecting your business.”
Secure Cloud Services
Many organizations have moved, or are in the process of moving, their email networks to cloud-services like Microsoft 365 or Google Workspace (formerly known as G Suite). These services offer a huge number of benefits; they’re easy to manage, they help us to be more productive and they allow for easier communication. But they also introduce new security challenges.
“If you compromise an O365 account, you’re no longer just compromising one person’s email account. You’re actually potentially compromising their whole business operation,” Murray says.
Office 365 accounts can store all your client data, making them highly lucrative targets for cybercriminals. They can also be great places to host phishing pages and carry out further attacks on organisations. Because of this, these accounts are being targeted more and more frequently.
To protect against attacks targeting Office 365 accounts, Murray recommends that organizations look at email security gateway solutions which can protect Office 365 accounts against targeted email attacks.
“We’re seeing a number of clients on Office 365 with open email records, moving to having email records protected by an email gateway solution. What we tend to see when that happens is that attacks that target Office 365 will drift away.”
This suggests that attackers are doing specific reconnaissance using publicly available tools to identify organizations that are using Office 365 without any email filtering, and targeting those organizations with phishing attacks.
Implement Multi-Layered Security
Murray says you should “absolutely” consider a multi-layered strategy for email security. Many analysts and research firms such as Gartner recommend that implementing multiple layers of security is the only way to ensure protection against targeted email threats.
“What one solution misses, the other might pick up,” Murray says. Within email there are multiple security approaches to take, with preventative technologies and investigative technologies, as well as security awareness training and new solutions such as warning banners inside email messages. Murray also says that having strong visibility into email threats is important, allowing you to detect threats where you might otherwise assume you are safe.
“Email is such a key area, it’s where the cyberattacks start,” Murray says. If you can get a grip on email as much as possible with multiple security layers and good visibility, you’ll be much better placed to protect yourself against attacks.
Understand Your Attack Surface
Murray’s final advice for small businesses to stay secure against email threats is to understand their attack surface. For many small businesses, their attack surface starts with email, Murray says, because they often won’t have any externally facing infrastructure, aside from websites which are typically managed by web developers.
Murray says that by focussing on understanding this attack surface, organizations can more effectively identify the security solutions that will help them to secure themselves against email attacks.
By combining the basic Cyber Essentials with protection for cloud services, multi-layered email security and a strong understanding of your attack surface, your organisation can achieve strong protection against targeted email threats.
Thanks to Chris Murray for participating in this interview. You can find out more about Bleam Cyber Security and how they can help your small business to protect against targeted email security attacks here: https://www.bleamcybersecurity.co.uk/