I have the opportunity on a weekly basis to speak with organizations who come through our Executive Briefing Center. They share information about their strategic business and security initiatives while learning about our corporate vision and ways we are helping customers with similar challenges to those they face.
Many times their stated interest is SD-WAN and cloud, sometimes segmentation, and other times security operations. Without a question, these are important (and hot) topics, but I always try to carve out a little bit of time to talk about email security, and here’s why.
Industry Data Shows Email Is a Top Attack Vector
If you read the recent 2019 Data Breach Investigation Report from Verizon, you will notice that 94% of malware was delivered via email, and that the top cybercriminal action leading to a breach was phishing.
In fact, FortiGuard Labs routinely finds new phishing campaigns rising to the fore, such as this new version of Hawkeye that recently hit our weekly threat intelligence newsletter and blog.
But it’s not just malicious files or URLs in email that represent a risk. According to the FBI, over a two year period Business Email Compromise exposed victims to an estimated loss of $3.3bn. And the U.S. Department of Justice recently filed suit against a cybercriminal alleged to have stolen $100m using that type of fraud.
Email Is Moving to the Cloud
Whether your organization uses Microsoft Office 365, Google G-Suite, or another cloud-based email provider, email infrastructure is moving off-premises and into the cloud to be managed by someone else. This makes perfect sense given the maturity of email systems and increasing IT focus on other high-value aspects of digital transformation.
However, outsourcing email infrastructure doesn’t necessarily mean you should outsource email security. Given the industry data above, this is a very important question for each organization to answer in relation to their unique appetite for risk.
Leading Industry Analysts Assert You Must Re-Assess Email Security Architecture
In fact, more recently, Gartner published their Market Guide for Email Security and asserted that “Security and risk management (SRM) leaders must revisit their organizations’ email security architecture in the light of current email threats, such as sophisticated malware, links to exploit kits, credential phishing and BEC.”1
This Market Guide states “the following capabilities can be used as primary differentiators and selection criteria for email security products:
- To Protect Against Attachment-Based Advanced Threats: Network Sandbox and Content Disarm and Reconstruction
- To Protect Against URL-Based Advanced Threats: URL Rewriting and Time-of-Click Analysis and Web Isolation Services
- To Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats: Display Name Spoof Detection, Domain-Based Message Authentication, Reporting and Conformance on Inbound Email, Lookalike Domain Detection, and Anomaly Detection.”
(Side note: we are proud to have been listed among the Representative Vendors for Global SEGs in Gartner’s 2019 Market Guide for Email Security.)
To recap, sources have identified email-based malware, phishing, and BEC as costly – and often, the top – cybercriminal actions. For those organizations rapidly moving to cloud-based email systems, this issue remains, and just as with their tradition email solutions, they will still need to ascertain whether the native email security is sufficient. Additionally, leading analysts assert that every organization must re-assess their email security architecture.
Given this information, it seems pretty clear to me what we all should include among our 2019 security projects.