Every week I try to listen to a couple of webinars to stay informed on the industry. Each one starts with some aspect of the threat landscape and reviews challenges along with the suggested solution. Recently I listened to a webinar on email security which got me thinking. Email has been around for decades, and yet with all the innovations it still represents a significant challenge to secure. Let’s look back to understand how we got here.
Innocent Beginnings
My first experience with email was as an undergraduate in the ’90s. This was a time where there wasn’t any worry of something malicious happening when clicking on an attachment or a link from someone you didn’t know. Even when I started a job at a large company, the only email training was around how the code of conduct applied to email as well. This meant avoiding profanity, verbal threats, or any sort of misconduct in the inbox. A short time later, I remember email at my company was down for days. This was the Melissa virus. It wasn’t the first email virus, but it was the first known to cause massive disruption with lost productivity and revenue for many organizations, including my then employer.
In those days, the motivations of those responsible were typically either notoriety or entertainment. In this case, the person responsible for this virus had no idea that it would cause this type of damage. The incident jump started the email security category with secure email gateways (SEG) leading out to detect and prevent these types of threats. It also uncovered the need for security awareness training to educate employees around not clicking on attachments and links from suspicious emails. Security Awareness Training (SAT) wouldn’t be a category until several years later.
Spam, Secure Gateways, and Authenticity
In the mid 2000s, spam exploded, and a big reason for this explosion was financial motivation. Spam made up over 80% of all email traffic at the time as it was able to bypass email defenses. This made email a very attractive vector for cyber criminals who wanted to use it for monetary gain. The industry responded by creating spam filtering technologies and then consolidating these as part of SEG solutions. For the next several years, bad actors and the industry innovated to stay a step ahead of each other. Some of the innovations leveraged to stop bad actors were integrated into SEG, while others were made into separate solutions such as secure web gateways (SWG) to protect against web-based email threats (i.e., checking your Yahoo mail account at work).
The last few years have seen a downward trend with spam as it makes up less than half of all email traffic, according to Statista. Part of this is due to innovative technologies used to verify the authenticity of senders such as SPF, DKIM, and DMARC. The emergence of security awareness training (SAT) as a category also helped. However, it should be noted that the criminals also shifted their strategy during this time. They used to send a single email to the masses and would come up with creative ways to send that same email to as many addresses as possible. Today, there has been a shift to where the bad actors research a potential victim and craft something more personalized, in hopes of gaining the victim’s trust enough so they will eventually take the action the criminal wants. This is known as social engineering and it’s been one of the top attack patterns for the past few years, including this year’s 2023 Verizon DBIR.
Incident Reduction and Response
There are lots of other things related to email security and we will get to some of those in a future post. In the meantime, the way to minimize an incident is to follow best practices which include:
- Ongoing awareness training to teach users to be vigilant and spot suspicious emails
- Encouraging users to report suspicious emails for further analysis
- Ensuring any communications with attachments and links go through some sort of deeper level inspection
- Maintain a disciplined patching program
Although much about email has changed over the years, some things haven’t. There has always been a game of cat and mouse between the bad actors and security professionals, and new innovations will continue to be adopted by both groups.
Fortra Can Help with Email Security & Anti-Phishing
Get the email security solution that puts you at ease with your inbox.
