Email attacks are becoming more sophisticated, putting organizations around the world at risk of data breaches and financial loss. As cybercriminals and threats become more advanced, security teams are finding they need new technologies to combat threats like phishing, email compromise and account takeover.
As one of the world’s leading email security providers, Mimecast has been at the fore front of the changes in email security technologies. Founded in 2003, Mimecast protects over 38,000 customers in more than 100 countries, providing protection against email and web-based security threats.
To discuss the changes in the email security threat landscape, and how organizations can build stronger email resilience in the cloud, we spoke with Matthew Gardiner, Mimecast’s Principal Security Strategist. Gardiner has over 20 years’ experience in the cybersecurity industry and is a security evangelist, speaking at security events around the world and virtually to help organizations learn more about security threats and how to stop them.
Why Email Is the Number One Entry Point for Data Breaches
Mimecast was founded in 2003, in a very different email landscape. Email was just beginning to emerge as the dominant communication platform for businesses. The main risks to businesses from email were large amounts of nuisance spam, relatively simplistic malware, and the common occurrence of email systems going down. Mimecast quickly realized that protecting emails and ensuring mailbox continuity would be hugely important, Gardiner says, and since then Mimecast’s platform has been focused around innovating in this area.
Of course, in the email landscape, much has changed since 2003. Email is now ubiquitous and email threats are far more advanced. Attacks have moved from spam, to “highly targeted, customized, well-engineered, socially-engineered attacks,” which use email as an entry point, Gardiner says. Today, email is the number one attack vector for cybercriminals to target organizations, a leading cause of data breaches for organizations all over the world, and a common entry point for dangerous malware, such as ransomware.
These problems stem from email being an inherently unsecure platform. The early designers of email never conceived of it being an attack platform. Like many systems created in the early days of the internet, email was designed to be an open platform, not inherently secure. Because of this, email is “almost the perfect vehicle,” for cyberattacks Gardiner says.
“Email is ubiquitous, it’s relatively anonymous, it’s easy to add socially engineered content, you can make it look visually anyway you want it to look, there’s no inherent security and you can attach whatever files you want to it.” – Gardiner
Gardiner says that Mimecast has evolved its security approach alongside the evolving attack techniques, continuing to add new features and develop its functionality as email attacks have become more advanced and more targeted.
This has been driven by the data they receive from their global customer base, which has given them important insights they use to develop new analytics, data sources and strategies to deal with modern email threats.
How Innovation in AI Can Protect Cloud Business Emails
One of the more recent developments in the email security landscape has been the emergence of security technologies that use AI and machine learning to combat sophisticated email threats. These platforms often directly inspect the email traffic and flows to detect anomalies that could be indicators of malice or user mistakes.
Research firm Gartner recommends that security teams use these platforms to complement traditional email gateways, and Mimecast itself has recently acquired MessageControl, a vendor that offers many of these specialized email security features.
Gardiner says that while secure email gateways offer the most comprehensive protection against email-centric threats, organizations are beginning to look for more comprehensive, specialist capabilities to combat the issue of social engineering and phishing attacks. In this respect, he says, AI powered solutions will “absolutely” become another critical tool for tackling modern email threats.
Artificial intelligence is well suited to helping to stop phishing attacks. Certain specialized attacks are designed to bypass the rules that govern traditional email security technologies. These attacks often aren’t easily placed into neat categories of ‘safe’ or ‘unsafe’. AI technologies however can be trained on specific characteristics to look for likely unsafe emails, which Gardiner argues makes them much more effective at identifying the signs of account compromise or phishing attacks.
A critical component to having an effective AI solution for email security is the data set that you can teach it with. Gardiner argues that one of Mimecast’s biggest advantages when it comes to AI development, is that they have a huge amount of data to analyze and use to train their AI model, helping them to build smarter analytic systems. AI is not a “magic bullet” to solving the problem of phishing, Gardiner says, but an important component of a comprehensive cloud-based security strategy.
The Importance of Security Awareness Training
Another component of a strong strategy to deal with phishing and social engineering attacks is security awareness training. In 2018, Mimecast acquired Ataata, a cyber security training and awareness platform, and since then security awareness training has become a core feature in their cloud security platform.
Gardiner recommends that all organizations consider implementing security awareness training as a crucial layer of their security strategy. “The final layer of your security system when it comes to email is your people,” he says. “Because if people don’t engage with attacks, the attacks fail.”
With a strong awareness training platform in place, organizations can turn their employees from being their greatest weakness, to their greatest strength, he says. While it’s unlikely you can train users to be security experts, by giving them a way to report suspicious emails, and teaching them to apply a critical eye to suspicious emails, Gardiner argues that businesses can greatly improve their cybersecurity and resilience.
The Future of The Email Threat Landscape
Looking to the future of the email threat landscape, Gardiner predicts that one of the major trends we will see is attackers exploiting more trusted infrastructure to distribute malicious threats. A weakness with many security controls today is that they rely too much on the reputation of different platforms, he says. This can be the reputation of a website, cloud service, or of an email sender.
This can become a significant problem when cybercriminals begin using platforms like Dropbox or Azure, a cloud service that will be considered safe by most security systems, to deliver malware or to host malicious web sites. Company domains are becoming more at risk of being hijacked to deliver malware or other threats, Gardiner says, a trend which he believes is likely to filter down to become a more regular form of cyberattack.
Another trend that Mimecast is seeing is the growth of the cloud security market. A recent Gartner report revealed that spending on the cloud security market has had a huge 33% growth over the past year, compared to just a 2% growth in the general worldwide security market.
This data shows that cloud-based security controls are the future, Gardiner says, but the future is “not yet evenly distributed.” As many customers begin to move their security controls to the cloud, more attackers will also move to cloud-based threat models. “Ultimately, both sides are just doing what makes sense from a business prospective,” Gardiner says.
Advice for Customers Struggling with Email Threats Today
Gardiner’s advice for small and midsized organizations that are being hit by email threats like phishing and ransomware today, is to take a step back, and consider their whole security program.
“The old way of doing security on premises, with dozens of independent security controls, isn’t manageable,” for teams of this size, he says. Small companies cannot afford the people or the systems to implement security measures in this way. This is a problem for many of Mimecast’s customers, some of whom have between 0 and 2 dedicated security staff. Instead, Gardiner says that organizations need to implement cloud security systems for every security control possible.
On the phishing side, Gardiner recommends against organizations going exclusively with the inbuilt security controls in cloud platforms like Microsoft 365 and G Suite. These are “not sufficient for most companies,” he says, instead recommending that organizations go for a cloud based third party solution for phishing protection.
Gardiner’s final recommendation is to “get as much security control layering as you can from cloud providers, and don’t forget the people and process side of security.” Implementing security awareness training alongside strong technical controls is an important step in helping to reduce your risk from phishing attacks he says. It’s also important to put in place key business processes that ensure there is no single point of failure, such as allowing wire transfers to be made as a result of a single, potentially fraudulent, email.
These steps can be “affordable, and manageable, even by a small team,” Gardiner says. “It’s challenging, but doable and we’ve seen it many thousands of times be successful.”
Thanks to Matthew Gardiner for participating in this interview. You can discover more about Mimecast and their range of enterprise email and web security solutions here: https://www.mimecast.com/