Email security remains a critical and unique component of business cybersecurity strategies, and—arguably—it has never been more important than it is today.
Email threats such as business email compromise, account takeover and ransomware have exploded over the past year, as cybercriminals have exploited the challenges posed by the pandemic and a move to a remote workforce. These attacks are costing businesses billions; according to the FBI, the combined cost of business email compromise (BEC) in 2020 was $1.8 billion USD.
At the same time, email attacks are also becoming more sophisticated and more targeted. And advancements in ransomware technology and social engineering techniques are making it increasingly difficult for legacy email security technologies to provide the protection organizations need. So, how can you ensure your organization is protected?
We spoke to Rom Hendler, CEO and co-founder of Trustifi, a leading email security and encryption provider based in the US with R&D in Israel, to find out. Hendler has previously worked in the hotel and tourism sector, including as the CMO at Las Vegas Sands, across the United States, Asia and Israel in a range of C- level roles across marketing, operation, finance, technology and cybersecurity.
He shared his insights on why email is so important for cybercriminals, how organizations can protect their users against email threats, and why we should consider our end users our greatest strength, not our greatest weakness.
The Sophistication Of Email Threats–And The Problem With Legacy Email Security
Email security has always been a challenge for security teams, largely because of how email systems were originally built, Hendler says.
“Email is a problem because of how it was designed originally,” he says. “When you send an email, it goes through many different interception points, where many different people can read, see and even manipulate the email content. This is a major problem in today’s environment.”
The fundamental operation of email channels leaves each communication with multiple points of vulnerability, where a message could be intercepted by a bad actor. But as well as tapping into emails enroute, cybercriminals also try to gain access to the user’s inbox itself.
In the past, attackers would do this by sending mass emails encouraging users to open malicious links and attachments. But today, attacks are far more sophisticated. Impersonation and spear-phishing attacks are much more difficult for users—and legacy email gateway solutions—to identify, which makes it much more likely for an attacker to successfully compromise their target’s inbox
And as our reliance on email increases, so does the opportunity for attackers to steal our data using these methods.
“Even before COVID, email was still the most widely used means of communication with corporations. And what we saw during COVID, when people moved away from the office and worked from home, was an increase in our dependency on emails.”
Many day-to-day tasks, such as keeping in touch with colleagues, or sharing documents and invoices, were all now taking place via email, he says, which led to the number of cyberattacks targeting the email channel growing “exponentially.”
But there’s also a problem with traditional email security technologies themselves that can make it even harder for organizations to protect their communications against these new, more advanced email threats: many email security solutions, especially in the encryption space, are difficult to use. This can cause drains on productivity as well as issues with security, Hendler says.
Additionally, many CISOs and security teams don’t consider the needs of the end users when choosing solutions, Hendler says. “In big organizations, CISO’s just want solutions that will block everything out there. And then end users say this makes their job impossible, and then people look for workarounds, such as using private email, or DropBox to share sensitive information.”
“So, it is better to work on education, and understanding. We design our system in a way that end users will actually want to use it, so it gives them more productivity in the job. When you send an email with Trustifi, you can easily encrypt using a plugin, you can see where and when that email was opened, you can go back and edit sent messages if you accidentally send the wrong attachment.”
“The more people use the platform, the more secure you are, because people are more engaged in your security.”
But most security systems are not designed this way, Hendler says.
“If you look at some of the marketing collateral out there, you’d think that your people are your weakest link. But my people are my strength, my people are my greatest asset, I’m there to empower them.
“Yes, they might make mistakes, but I’m there to make it easy for them to do their work and protect the work they’re doing.”
Today’s Email Threats Call For Real-Time Protection
In addition to implementing user-friendly email security, it’s extremely important that all organizations should look for email security solutions that provide automated, real-time protection to stop social engineering and BEC attacks in particular.
“When you look at impersonation, it’s all about timing,” Hendler says. It is possible to stop an impersonation attack once it has happened, he explains, as long as you act quickly. In the case of a wire-transfer scam, for example, you can contact the bank and ask them to stop the transfer of funds. “That’s why the speed is so important,” he says.
Another way to respond to an attack is by going through insurance. But insurance companies increasingly won’t insure against cyberattacks, Hendler says. Because of this, organizations must have a strong tool in place to stop these threats from ever coming to fruition.
Hendler recommends looking for a solution that provides smart, proactive protection against inbound threats by identifying and flagging suspicious emails, before they can reach their intended recipient. This can be very difficult to do, Hendler says, because malicious emails are often cleverly disguised to appear completely safe, particularly in the case of account takeover and BEC attacks.
Trustifi’s solution provides proactive protection against business email compromise via two main methods: outbound encryption and AI based inbound filtering.
“We want to encrypt as much as possible to solve that problem of timing,” Hendler says. When impersonation attacks occur, cybercriminals are trying to reach users at a very specific time point, Hendler says. They aren’t impersonating a user for months, they’re trying to impersonate at the point when a transaction is made, so they can extract as much money as possible as quickly as possible.
Trustifi also uses artificial intelligence profiling to analyze the context of email messages, comparing each email to that user’s “normal” communication patterns to detect signs of account compromise. When the solution identifies emails as potentially suspicious, it flags or automatically quarantines them as needed, in real time. Having this protection in place is “extremely, extremely important,” to protect against any type of attacks but mainly BEC attacks, Hendler says.
Email Security Requires Cost-Benefit Analysis
One of the common recommendations in the email security industry is for organizations to implement multi-layered email protection, with analyst firm Gartner recommending that organizations should address gaps in secure email gateways by “supplementing with additional capabilities.”
Hendler argues that this can be a useful approach, but suggests it needs to be a balanced consideration, weighing up the security benefits against the total risks––and extra cost.
“It’s like everything in life. If you look at your house, you can put in an alarm, you can put a lock on the door, you can put up a fence and security cameras. Obviously, you’re going to be more secure, but the question is, how long will it take you to get in and out of your house every time? Do you want to end up living in a jail?
However, there are some benefits to implementing multiple layers of protection for email, Hendler says,
“We see many of our customers say that they like the solution they have in place currently, but they don’t like the outbound encryption. It’s clunky, it takes too long to set up, and the conversion rates of people opening encrypted emails are very, very low.
“So, we do see people say, look, I want to keep this vendor, and then add you as well. Because sometimes, with email especially, data loss protection is just one part of your overall strategy. So, we do see those different layers,” Hendler says.
And this approach does make sense, he agrees, because there’s isn’t one silver bullet to solve email security problems. “Nobody out there can do everything. But you need to think of it like everything else in the business, think about risk and return. How many tools do you need and, from a cost perspective, how much can you invest in?”
The Future Of The Threat Landscape
Casting a predictive eye over what changes we can expect to see of the threat landscape in the future, Hendler says that organizations should not expect a full return to the office, and that cyberthreats are likely to only increase in severity.
“First of all, the move back to the office will be hybrid,” Hendler says. “I see even for my own people they’re willing to come into the office, but they don’t really want to! People want to work from home, at least in a hybrid environment, and I think organizations will adapt to that.
“Which means that email will continue to be a very important and pivotal tool in the day-to-day work environment and, therefore, email attacks will continue. Why would you break into a store if you could convince someone to wire you $50,000 over email? Obviously, it’s a different skill set, but it’s much more lucrative and much lower risk! So, I don’t see email threats going away anytime soon.”
On top of this, there are an ever-increasing number of compliance regulations businesses have to deal with, Hendler says, meaning email security will have to become a higher priority for every organization.
“Every organization needs to comply, and they want easy, simple and fast ways to get there. They just don’t have the resources to implement something very complicated.”
How To Secure Your Email Environment
Hendler has two recommendations for organizations looking to secure themselves against email threats and meet compliance regulations. First, companies must understand the importance of outbound email encryption. Second, utilize artificial intelligence to protect inbound email communications.
“You need to understand that encryption is not just a compliance issue. Many people think you only need to encrypt email with personal data, or credit cards, or to meet compliance regulations like HIPAA PII, CCPA and more. So, they think only a portion of their users need to have an encryption license.
“This is wrong, because you want to protect everybody in your organization. If you’re not going to protect everyone, you’re going to be vulnerable. That’s the first thing.
“The second point is that, if you want to combat those really sophisticated attacks, without blocking a lot of legitimate emails that will interfere the organization productivity, you need to use ML and AI. But artificial intelligence does not work with just inbound protection. So, my suggestion is that, if you want to look at comprehensive email security, you should start with encryption and securing outbound email. And you need a solution that serves as an extra arm of your security team, in that it is always researching and improving its solutions to be one step ahead of the attackers.”
Thanks to Rom Hendler for participating in this interview. If you’d like to find out more about Trustifi’s solution, you can visit their website here: https://trustifi.com