All too often enterprise administrators follow best practices for numerous network infrastructure but forget the importance of email cybersecurity. You could argue that email cybersecurity is more important than any other OpSec strategy since many of the biggest data breaches start with a phishing email. With more employees working from home due to COVID-19, it’s more important than ever to ensure that email cybersecurity is configured and implemented across all communication channels.
Just One Successful Phishing Email Leads to Millions in Damages
It only takes one successful phishing email for an attacker to compromise a network. Attackers might send dozens of emails to users within an organization or use social engineering along with phishing to target specific high-privileged user accounts. A recent Ponemon report showed that the average cost of a data breach is $3.86 million. In many of these malicious email messages, attackers either try to trick targeted users into opening a malicious attachment and executing malware on the network, or an attacker might try to lure the victim to one of their hosted web pages where the user is tricked into sending sensitive information and credentials to the attacker.
Tech Radar reports that a trillion emails are sent every year and 3.4 billion emails are sent every day. With more employees working from home, their personal accounts mix with business devices, which means that there is a good chance that employees receive at least one of these emails every day. If employees aren’t trained to identify phishing emails, they could be the next vector for a data breach. With the numerous phishing emails sent every day, it only takes one employee to leave the organization’s network vulnerable to malware.
Even trained users can fall victim to a phishing attack. Administrators, human resource employees, and financial staff are given the education to identify a phishing attack because they are often specific targets in spear-phishing. Even with training, employees can fall victim to phishing and social engineering attacks. When high-privileged users fall victim to these attacks, the data disclosed and stolen to attackers can be much more severe. These users have access to financial data, employee and customer personal data, and social security numbers. This data is highly valuable on darknet markets, so the payout is worth it for a complex, long-term attack.
Email Cybersecurity
Firewalls, access controls, user identity management, and other network fundamentals are all components in good cybersecurity posture. What’s missing in this list and often overlooked is email cybersecurity. Email cybersecurity removes responsibility from users and uses artificial intelligence to identify malicious message. Malicious messages could be phishing, ones that contain a link to an attacker-controlled server, or ones that have malware attachments. Users no longer even see these messages and instead the system quarantines them until administrators review and verify that messages are benign.
Email security is based on two major components: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). An SPF record is the easiest to implement and takes only a few minutes of the administrator’s time. The SPF record is added to the organization’s DNS server as a TXT entry. This TXT entry is a string with specific syntax that provides recipient email servers with a list of authorized IP address that can be used to send enterprise email.
DKIM is similar to an encrypted signature. A header is added to an email message with the sender’s signature. The recipient verifies this signature to ensure that the message was sent by the recipient’s domain. Together with SPF, DKIM cybersecurity validates the sender and stops recipient email servers from sending spoofed phishing emails to the targeted user’s inbox.
The recipient email server can be configured with Domain-based Message Authentication, Reporting and Conformance (DMARC) cybersecurity. DMARC rules determine how an email server should handle messages when SPF and DKIM are present. With strict DMARC rules, email servers might reject messages where no SPF record is present. For instance, organizations that use Google Suite might find their domain emails blocked if an SPF record is not present for the third-party sender.
With email attacks more common than ever, email cybersecurity should be a part of any organization’s network fundamentals. Administrators work hard to ensure that every aspect of the network is secure from firewalls that block outside public Internet traffic to internal identity access controls that limit unauthorized data access. DMARC, DKIM, and SPF are all basic cybersecurity tools that can limit the possibility of the organization falling victim to a severe data breach.
Recent article - DMARC Email Authentication Explained in Plain English