2018 shed a lot of light on how expensive successful phishing attacks can be, with the FBI reporting in July well over $12B in financial losses due to business email compromise and Anthem reaching a $16M settlement in October due to phishing-driven data breach.
Cybercriminals continue to expand their repertoire by iterating on successful attack techniques such as brand impersonations, executive spoofing, and more recently, a spate of bitcoin-based ransom requests.
In response to the growing threat, federal agencies were required to fully implement the DMARC protocol, blocking unauthorized use of agency domains for sending email, while security teams increasingly migrated to cloud-based platforms like Office 365 and G Suite and searched for better ways to automate and manage their crushing workload.
As we head into 2019, it’s important to understand how email security continues to evolve. Below are the top trends we can expect in the email security space.
Email security moves away from its binary system
In the words of one of the primary research analysts into the email security space, email is unique in that it is both one of the most venerable and simultaneously one of the most vulnerable systems that professionals use every day.
As of 2018, nearly half of all email security professionals surveyed noted that they saw significant email threats reach their users every week. Nearly a quarter of them saw those same risks daily. That is simply unacceptable, especially when one considers that the same professionals invest, on average, in three different security tools to try to prevent this from happening.
In fact, recent research has shown that more than half of all security professionals are dissatisfied with those investments, largely because of this abysmal failure to counter even basic attacks. Attacks that are, on average, becoming increasingly sophisticated every year, even as the tools, techniques, and responses fall further and further behind.
Reasonably, security leaders are seeking and increasingly demanding that email security vendors provide alternatives that can solve this problem. Those solutions will not be predicated on a binary good/bad model for classifying email. The language of “false positives” and “false negatives” – with origins in the endpoint and malware space – are inapplicable to today’s evolutionary threats. Instead, 2019 will see the rise of email security lifecycle management: the shift in thinking from “blocking bad email” to having a sense of assurance that email risk is manageable, from pre-delivery to incident response.
For many years, email security vendors have been trying to make a better mousetrap. Phishing attacks are cybercriminals’ top tactic for the simple reason that they are difficult to detect using the same perimeter-based, threat-intelligence-reliant email security tools. The industry has been slow to adopt new technologies that can better identify sophisticated threats and remediate them effectively. 2019 proves to be a turning point as businesses explore new options to help them secure their corporate inboxes.
Automation eliminates a weeks’ worth of admin work for analysts
In the security business, there are no silver bullets. No single response “solves” the security problems that business face. Instead, as with area where risk is managed rather than eliminated, the criteria for success are threefold:
1. What kinds of threats and risks can be detected?
2. How robust are our response capabilities to those threats?
3. How much effort is required to implement and execute on response when an incident occurs?
We’ve found that automation can remove 121 hours’ worth of manual email security administrative tasks per year. Security analysts are committing between 30 to 80 percent of their time towards work that doesn’t require human intervention. In particular, managing massive quarantine folders and using PowerShell scripts to remediate any malicious emails that have bypassed their defenses are two areas where organizations are wasting valuable and expensive security analyst time.
The maturity of automated security solutions and their increased adoption among Fortune 500 companies will help IT and security teams better focus their time and efforts on activities that can prevent data breaches.
The sophistication of phishing attacks increases in 2019
Email security is, by definition, an industry dictated by asymmetrical threat.
Cybercriminals have relied on a straightforward approach to phishing through 2018, relying primarily on fooling inattentive users into entering credentials into a fake website, clicking malicious links, or downloading malware. Emboldened at the efficacy of their basic attacks, cybercriminals will raise the stakes in 2019 by engaging in more customized attacks.
Customized attacks are where a cybercriminal impersonates the CEO or CFO, for example, in the hopes of using urgency and fear to get employees to bypass typical business processes to quickly transfer funds or gain access to confidential data. When such an attack is a credential theft attempt, the masked website is impeccably built and the URL might even have the recipient’s email address in it to look like an office.com login URL. Customized impersonation attacks take more time to develop but the building blocks are easily reused.
Security teams will stop treating employees like liabilities
Employees have long been touted as “cybersecurity’s weakest link.” From the fear of so-called shadow IT some years back, to the concept of forcing users through largely compliance-driven training today, there is often tension between information security and information consumers and creators within a business.
This dichotomy is self-destructive, as it positions the two groups most directly responsible for a company’s security as adversaries. To break the cycle, businesses will implement automated tools and policies in 2019 that support workers’ ability to defend an organization’s data.
Machine learning and automation are capable of providing powerful insights and necessary context that help workers make the right decisions when confronted with a targeted attack. For instance, a simple prompt that tells people when they are operating outside of a company’s security parameters – i.e. accepting wire transfer authorization over email – is much more effective than cybersecurity awareness training or shaming them with “fake” attacks. Security and IT teams will implement strategies that support their workers rather than impose draconian controls to their workflows.
Overall, 2019 will be marked by a more realistic view of email security that is better aligned with the infrastructural and philosophical shifts embraced by IT and security departments in other aspects of security. In so doing, organizations will finally begin to move away from the unattainable promise of a 100 percent capture rate at the perimeter and toward an integrated – and ultimately more robust – security posture that matches other cloud initiatives. By “widening the lens” to recognize email security as a lifecycle rather than a point-in-time gateway, organizations will embrace a holistic approach that combines traditional prevention-based strategies with a true protection mindset.