Editor’s Question: What is the best practice approach [for SMEs] to protect against high-risk email threats?

Trend Micro, a leader in cloud security, blocked 16.7 million high-risk email threats that slipped past webmail providers’ native filters. This amounts to an increase of nearly a third on 2019 figures.

The new statistics are provided by Trend Micro’s Cloud App Security (CAS), an API-based solution that provides second-layer protection for Microsoft Exchange Online, Gmail and a host of other services.

“COVID-19 forced many organisations to accelerate their digital adoption plans, and SaaS apps have become indispensable to remote workers. However, where there are users, there are also threats and we’ve seen a spike in attacks targeting organisations’ perceived weakest link during the pandemic,” said Wendy Moore, Vice President of Product Marketing for Trend Micro. “Trend Micro Cloud App Security has been indispensable in providing an extra layer of protection – each one of those nearly 17 million threats previously missed represents a risk of corporate data theft, ransomware and fraud.”

Detections of malware, credential theft and phishing emails all recorded double-digit year-on-year increases in 2020, while BEC volumes dropped slightly.

Three experts discussed the best practice approach [for SMEs] to protect against high-risk email threats:

Bharat Mistry, Technical Director UK and Ireland at Trend Micro:

Despite the wealth of options on offer for today’s cybercriminals, email is still by far their number one choice for attacks. In fact, of the nearly 63 billion cyberthreats Trend Micro blocked globally last year, over 57 billion (91%) were email-borne. The good news is that, despite these foreboding figures, there’s plenty SME owners can do today to mitigate the risks associated with emailed threats.

The biggest threat

Phishing is still the most dangerous threat vector around. Why? Because it takes advantage of the perceived weakest link in the SME security chain – your employees. Tricking them with spoofed messages to unwittingly download malware or hand over their corporate log-ins, cybercriminals can launch a range of attacks – from ransomware to serious data breaches.

These risks have arguably been even more pronounced during lockdown. Staff may be more distracted at home and therefore more likely to click without thinking first. Or they may be using less well-secured home networks and personal devices, and/or sharing these with members of the household who engage in risky online behaviour.

Moving laterally

If attackers manage to hijack users’ corporate email accounts, they could also move ‘laterally’ between inboxes by sending out phishing emails to a victim’s colleagues. As they genuinely come from a trusted source, these phishing attempts have a high chance of success for the attacker.

This tactic is often used during Business Email Compromise (BEC) attacks. These typically don’t involve malware, so are harder for email filters to spot. Instead, an attacker masquerades as a CEO, senior exec or supplier, emailing someone in the finance team or similar to urgently request a transfer of corporate funds.

The trick looks more convincing if the email comes from a genuine CEO inbox, which has been hijacked by attackers. Such attacks cost global organisations an estimated US$1.8 billion in 2019, half of the total lost to cybercrime that year.

Layering up security

Many SMEs today rely on flexible, simple-to-use cloud-based email systems such as Microsoft 365 (Office 365) or Google Workspace (formerly G-Suite). However, you may be surprised at how many suspicious emails these platforms’ built-in security filters allow through. Trend Micro blocked over 6.5 million such threats in 2020 alone – a reminder that multi-layered defence is needed to mitigate email-based risk.

We’d advise SME owners to look for a security provider that offers:

• Native integration with the messaging vendor via simple API. This will mean they can secure not only email but also OneDrive, SharePoint Online and other productivity tools
• Anti-malware and URL reputation checks
• Document exploit detection and sandbox analysis
• Machine Learning-powered capabilities to spot sophisticated malware and BEC attempts and credential theft sites

Next, enhance these cloud-based defences with endpoint security for user devices, as this is where any threat will land. Alongside these technology measures, improve cyber awareness training among staff with free tools that run phishing and BEC simulations.

As part of best practice cyber hygiene, employees should also be taught how to securely manage their passwords and use multi-factor authentication for log-ins if possible. This will add yet another layer of defence in there to foil determined attackers.

Kyle Turner,Cybersecurity Lead UAE at A&O IT Group :

In cybersecurity everything is underlined by policies, and there are two different types of policies that organisations should have in place for email. First is an overall email security policy – an official company document detailing security practices of your organisation’s email system. Secondly, an acceptable use policy – a document stipulating constraints and fair use that a user must agree to before being granted access to a corporate network.

Overall, when it comes to email, the biggest threat SMEs are facing is phishing emails. For example, Deloitte found that 91% of all attacks begin with a phishing email to an unsuspecting victim. Such a high number being attributed to phishing suggests that organisations are not implementing policies effectively nor are their employees being appropriately educated around the threat.

The best practice approach that will help SMEs combat this issue is training. As part of our social engineering assessments on a company, we carry out random simulated phishing attacks on its employees to see who bites. Any employee who is identified to have clicked on a malicious email is then provided with the appropriate training on how to spot them and what to do, and perhaps more importantly what not to do.

In my experience, most of the time organisations have between 60-80% click rate which means that the majority of employees being targeted with these emails are clicking on them. Aside from other forms of social engineering and simulated phishing attacks, another way for organisations to protect against high-risk email threats is to implement a platform to measure and improve the security awareness of employees. In doing this, I’ve seen a company go from a 60% to 3% click rate in 12 months.

When it comes to high-risk email threats, people are the weakest link. In order for SMEs to protect themselves, it’s imperative that awareness training for employees is carried out consistently as hackers are not relenting and a simple (wrong) click of the mouse can result in disastrous consequences for a small business. If your employees don’t get at least a weekly notification of what they need to be looking out for, then it won’t be effective. 

Maroun El Hashem, Manager, Public Cloud and Alliances at Barracuda:

The primary challenge for SMEs is the sheer variety of email threats that they need to protect against. For example, everybody knows about spam and phishing, but maybe they don’t know all the variants of phishing or scamming, account takeover, impersonation or more. SMEs needs to look for a comprehensive approach that gives them the ability to defend against all types of attacks, not just a subset. Artificial Intelligence and API-based inbox defence can address the gaps in the email gateway and help provide total email protection against attacks. Companies that take an alternate technology approach, not using APIs, can’t protect you against all threat types. 

Then there is the element of cloud. For SMEs in particular, cloud-hosted email services such as Office 365 are especially attractive. As more SMEs move to cloud-hosted email, many are also considering cloud email security deployments as well. A cloud-based email security solution, that comprehensively addresses all email threat vectors can offer SMEs many advantages that include:

1. A solution that scales with the needs of your business

Per-user licensing means that as your business grows, you can add users as needed. Because there’s no hardware to upgrade, adding users to your email security plan won’t cause additional strain on your IT resources.

2. Advanced security features

As cloud email grows in popularity, email security vendors are investing more in cloud security innovation, resulting in advanced cloud email security features. With Barracuda Total Email Protection specifically, organisations benefit from Artificial Intelligence that is directly integrated with Microsoft’s APIs to effectively detect and remove impersonation attempts from your users’ inboxes.

3. Automated threat detection and response

Barracuda Total Email Protection automates the threat hunting and remediation processes, slashing the time it takes to identify and clean-up potential email incidents by 95%. Having no hardware to maintain means that IT teams can refocus on more strategic initiatives like user awareness training.

4. Faster deployment and system updates

SaaS solutions are quick to set up and receive continuous software and security updates with zero downtime.

5. A predictable and transparent cost structure with no hidden costs

SaaS solutions are typically priced per-user with predictable monthly or yearly payments. Because there is no hardware, there will be no additional infrastructure investment or unplanned maintenance fees.

Finally, it’s important for SMEs to recognise that while Office 365 is a powerful solution that eliminates many IT management overheads, Microsoft only guarantees the availability of the service itself, and not the availability and integrity of data. In fact, the tech giant itself recommends that organisations use third-party backup for their Office 365 data. Since Office 365 is already in the cloud, it makes sense for SMEs to utilise a cloud-based backup solution that can save secure, encrypted backups in the same network as this leads to better performance and instant scalability. Barracuda’s cloud-to-cloud backup protects businesses against data loss and also against accidental or intentional deletion of emails by employees.

Click below to share this article