Email security is a growing problem for businesses in all industries. According to a report by software firm Egress, 95% of IT managers believe that email puts data at risk, and 83% of organisations have seen an email data breach.
As email security threats become increasingly common and dangerous, businesses must take precautions to secure their email systems. Although there is no silver bullet approach to solve this issue, many different email security systems are available on the market. But how do organisations choose the right one, and will it be enough?
When it comes to choosing an email security service for your business, one of the most important things to consider is the online environment you want to secure. Adrien Gendre, chief solution architect at Vade Secure, says: “What works for [Google] G Suite might not be the right fit for Microsoft Office 365 email. For example, sophisticated hackers are known for reverse-engineering email security solutions – the process of uncovering weaknesses in a solution and developing ways to exploit those weaknesses.”
Gendre warns that for businesses considering a gateway or cloud gateway, hackers could conduct a quick MX record search, discover the gateway protecting their Office 365 email, and adjust cyber attacks depending on their knowledge of the defence layer being used.
“In most environments, they can bypass the gateway to reach the public Microsoft 365 entry points directly,” he says. “In that case, an API-based solution is the better fit because it is inside the Microsoft tenant and is invisible to hackers while usually offering additional capabilities like automated response to threats.”
KVC Health Systems, a US-based, non-profit child welfare and behavioural healthcare organisation, has witnessed many phishing and spear phishing emails over the years. However, it experienced a surge in email attacks when it migrated to Office 365.
Erik Nyberg, vice-president of IT at KVC, says: “Healthcare data has the highest revenue on the open market. It would be detrimental to our reputation – if not our organisation – if we had a leakage of that information.
“The executives were emailing me once a week about something that had got through. It was always a pain point, but it just increased after switching to Microsoft 365. I’ve never been happy with an email security solution. Something that stops 80% of bullets just isn’t enough.”
AI-based email security
But since implementing an artificial intelligence (AI)-based email security system from Vade Secure nine months ago, KVC has not seen any serious email attacks. “Most years, at least one to two phishing attacks or attempts get through,” says Nyberg. “I haven’t had an email situation since I went online with Vade. The catch rate of Vade Secure for Microsoft 365 is a 15%, if not higher, improvement from any email filter I’ve seen. Vade catches what Microsoft misses.”
Four Communications, a London-based PR agency, has also faced a range of email security challenges in recent years. It adopted email security and archiving services from cyber security firm Mimecast to help solve these.
“At Four, we have acquired a number of new companies in recent years,” says Jake Fraser, the firm’s IT and operations director. “With each acquisition comes new employees and this naturally brings IT complications, including how to quickly move new employees from their legacy email infrastructure to Four’s without losing any data – no matter what platform employees are transitioning from.”
Four Communications relies heavily on email every day, so keeping it operating smoothly is essential. Fraser says Mimecast email security and archiving solutions are allowing the firm to transfer new employees to its email infrastructure in several weeks, rather than months.
“On top of this, Mimecast ensures all historical email is archived and organised in the same folder structure that employees had before, so everything is familiar,” he adds. “When it comes time for cutover, there is no pain at all and, critically, no chance of data loss.”
Finding the right solution
To find the most effective email security provider, organisations must consider several important factors. Andrew Rogoyski, cyber consultant and innovation team member at the University of Surrey, says: “People are still using email in place of paper trails, so when selecting services, you need to ensure that you have archiving, recovery, signing, encryption and other functions which protect the confidentiality, integrity and availability of the information in emails.”
Another area to take into account when selecting an email security service is data residency, says Rogoyski. Organisations should find out where their email data will be held and processed geographically due to legal issues regarding data protection, privacy and encryption.
“You may, for example, want to deliberately choose to host your email services in a country with strong privacy and data protection laws, like Germany,” he says. “Data residency became a big topic when the GDPR [General Data Protection Regulation] first came into force in 2018.
Andrew Rogoyski, University of Surrey
“However, with the UK no longer in the EU, data protection laws may change and potentially diverge from those of Europe, so we will have to demonstrate data protection equivalences in order to inter-operate with EU countries. The UK may then have to create its own version of the EU-US Privacy Shield framework – a tremendously complex process that even now is in trouble.”
Rogoyski says email security service providers should also build quantum-resistant encryption into their services, pointing out that some are already doing this. His concern is that current encryption methods will eventually be rendered useless by the rise of quantum computing.
“Many existing forms of encryption used to protect information in emails and other digital information can and will be broken by the advent of quantum computers,” he says. “With IBM, Google and others promising viable quantum computers by the end of the decade, there isn’t a lot of time to prepare.
“Organisations are currently storing sensitive information like emails that in a few years’ time will become completely transparent. The US agency NIST is running a process to decide on the most promising ‘quantum resistant’ encryption algorithms to use. When they decide, hopefully this year, the race will be on to replace vulnerable encryption algorithms.”
Although email security systems offer many benefits, businesses should also give their staff cyber security awareness training so that they know what different email security threats look like, the best way to respond to them, and ultimately how to prevent them happening again.
Steven Gailey, head of solutions architecture at Exabeam, says simple solutions such as regular security training can sometimes be the most effective. Regularly training staff on cyber security risks will ensure that these issues are at the top of everyone’s mind – and this should be the first line of defence at every organisation, he says.
Email security solutions may help businesses to identify threat campaigns targeting them, says Gailey. In particular, the latest endpoint protections can identify and block phishing measures, links to malicious websites identified by threat intelligence databases, and malicious processes being executed on end-users’ devices.
But he warns that it is impossible to stop attacks from happening completely, even when implementing the best security processes. Because of this, organisations need the ability to identify different attacks as soon as possible and take the best course of action.
Jake Moore, a security specialist at ESET, says an email security solution should offer the strongest defence against constant cyber attacks. Additional layers of security, such as integrated multifactor authentication, are also vital in today’s climate, he says.
Jake Moore, ESET
“A highly secure solution can be costly, but it far outweighs the cost as email security is an investment to any organisation,” says Moore. “Decision-makers must consider the rate of false positives and attachment scanning that can often slow down the rate of efficiency. Solutions such as sandboxing can prove vital in organisations that deal with huge numbers of attachments, maybe even unsolicited.”
But, like Gailey, he believes organisations should make their employees aware of different cyber security risks as well as using an email security system. “However, staff can quickly find workarounds for such inconvenience, so even with the best email security services in place, awareness training bolted on will increase the protection in the organisation,” he says.
Nicola Whiting, chief strategy officer at Titania, says organisations should ask a number of essential questions when considering different email security services. These include finding out how the product evaluates malware, how wide-reaching the threat information is, how often this threat intelligence is updated, how accurate the provider is in defending and in allowing mail you need through, whether it transfers your email to an external service for processing in any way, how easy the service is to integrate and administer with current systems, how customisable a system is, and whether it is user-friendly.
She adds: “For some organisations – especially SMEs and startups that may not have as many layers of security – an email security service can also provide a relatively low-cost way to add in data loss prevention and email encryption to outbound emails – a sensible move if within your security budget.”
Email security threats have existed for decades, but they are more common than ever in today’s connected workplace. Given that cyber criminals are constantly targeting victims over email, it is paramount that businesses recognise this issue and take action immediately. Although it is great that there are lots of email security solutions out there, businesses need to ensure they choose carefully.