As hackers’ methods become more sophisticated, the scale of email security breaches and the frequency at which they occur grow greater with each passing year. In 2019 alone, an estimated 2 billion unique email addresses, accompanied by over 21 million unique passwords, were exposed within a single data breach. After the initial panic, it became clear that breach was caused, in part, by poor data security practices: the target, email marketing service Verification.io, was found to have stored customer data on unsecured public-facing databases. This escalation has, understandably, put many people on edge. Sites such as Have I Been Pwned, founded by web security expert Troy Hunt, have sprung up in response to the public’s paranoia, and private individuals have started to look into secure email providers to keep their communications safe. But it isn’t enough for private individuals to keep a watchful eye over their emails. Businesses need to do everything within their power to safeguard their customers’ data if they want to avoid becoming the unwitting subject of the next great email security breach.
Evaluating Different Types of Threats
There are five primary types of email security breaches of which businesses should be aware:
- Spam: Though it might seem harmless — more of an annoyance than an actual threat — when left in the wrong hands, spam poses a serious risk to data security. Just ask any one of the people affected by a 2017 breach; caused by a misconfigured spambot that left a spammer’s servers open to attack, it resulted in the leak of over 700 million email addresses. Although the consequences of that particular breach were fortunately minimal due to a number of fake and repeated email addresses contained in the data set, spam-related attacks have the potential to be far more damaging. Email bombing, an increasingly popular form of spam, is proving to be especially pernicious since it treats spam emails as a sort of Trojan horse. With email bombing, the intended target is inundated with messages, many of them confirmation emails. Once a hacker has a victim’s email address, they’ll run a script to sign the victim up for as many unprotected sites as possible, thereby leaving them vulnerable. With their inbox flooded, the victim is less likely to notice unusual notifications or malicious behavior, enabling the hacker to gain access to the victim’s accounts and operate undetected.
- Phishing: Phishing refers to any attack in which the hacker uses electronic communication channels — typically, email — to impersonate a trusted figure. The idea here is that the recipient, seeing that the message is from a reputable source, will be more likely to provide private information, such as their account login, when requested or to open an unsecured attachment, thereby exposing themselves to a virus. A recent survey from Help Net Security revealed that 83% of respondents reported experiencing phishing attacks in 2018 — a 7% increase from 2017. Such growth made phishing one of the fastest-growing forms of email security breach.
- Viruses: A virus is a type of computer program designed to infiltrate and wreak havoc on existing systems by adding its own malicious code called a payload. Viruses often accompany spam and phishing attacks, using email as a point of entry through which they can gain access to an individual or an organization’s systems. Once a virus has successfully gained access to a system, it will execute its payload; depending on the nature of the virus, it could erase an organization’s hard drive, corrupt files, steal passwords, or crash the system entirely. Viruses belong to a larger category of software designed to intentionally cause damage known as malware. According to a 2018 report from the AV-TEST Institute, new malware figures reached 17,445,659 by October 2017 — a number that has only climbed in the years since.
- Ransomware: Ransomware, another form of malware, is used to encrypt a victim’s files; this data is then effectively held hostage by the hacker until the victim pays a ransom for it, typically in the form of bitcoin. Ransomware is one of the most prevalent forms of cyber attack; there were over 204 million ransomware attacks in 2018, an 11% increase from the year before. According to the cybersecurity experts at Norton, there are five types of ransomware:
- Ransomware as a service (ransomware hosted anonymously)
- Crypto malware (famously responsible for the 2017 WannaCry ransomware attack)
- Scareware, which mimics the appearance of antivirus software
- Doxware, which threatens to publish private or confidential information in exchange for a ransom
- Lockers, so named because they lock you out of your computer
- Insider Threats: Like the 1979 horror classic When a Stranger Calls, sometimes the call is coming from inside the house. Depending on their role within the company, certain employees have unlimited access to sensitive information — and all it takes is one disgruntled employee for an organization to find itself in the middle of a data breach. In fact, 61% of IT leaders believe that employees have put company data at risk maliciously within the past 12 months, while another 79% believe that employees have put data at risk accidentally. For an example of an internal leak in action, look no further than a former Chicago Public Schools employee who stole a personal database containing information for about 70,000 people in retaliation for being fired. Even when the risk is caused by human error — as is the case in 47% of data breaches — the consequences can be severe.
Put an End to Email Security Threats
From downtime and business disruption to the loss of confidential information and reputational damages, the consequences of an email security breach can be catastrophic. And more businesses are at risk than you might realize: a 2018 report from cybersecurity leader Varonis indicated that 58% of companies have over 100,000 folders open to everyone, and 41% have over 1,000 sensitive files open to everyone. Fortunately, there are a few easy best practices businesses can implement to step up their email security game:
- Invest in antivirus software. This one might be a bit obvious, but it’s still worth adding to the list. Antivirus software can greatly reduce the threat of email security breaches against your business. Antivirus software alone isn’t enough to completely protect you, however, which is why it’s important to implement other best practices, as well. If you need help choosing the right antivirus software, Consumer Reports has a solid buying guide.
- Implement a secure email gateway. A secure email gateway — sometimes referred to as an email security gateway — “is designed to prevent the transmission of emails that break company policy, send malware or transfer information with malicious intent.” By implementing a secure email gateway within your organization, you can filter incoming and outgoing email traffic and flag messages with suspicious attachments. A secure email gateway works best when paired with automated email encryption, which identifies outgoing messages containing potentially sensitive or confidential information and encrypts them so that, if they are intercepted, hackers cannot access their content.
- Invest in a secure archiving solution. Since creating a paper trail is important for both regulatory and legal reasons, most businesses have some sort of system in place that automatically stores email records within an archive. But what happens if that archive isn’t secure? All it takes is one hacker with the right credentials to access millions of bytes of sensitive data and put your company at risk. When shopping email archiving solutions, look for one that uses encryption, user authentication, role-based permissions and more to create a multilayered approach to security.
- Create strong passwords and invest in multi-factor authentication. Email security only works if everyone within your organization takes it seriously, so make sure employees are using strong passwords. That means no “123456,” “password” or any of these other painfully common passwords — even if it means having to instate a company-wide password policy. For additional security, implement multi-factor authentication, which requires users to provide two or more pieces of evidence that verify their identity when they enter their login credentials.
- Be wary of every email attachment. Email attachments are an easy way for hackers to transmit malware and infect your computer. Due to this, it’s imperative that you carefully scrutinize every attachment before opening, even if it seems like it comes from a reliable source. (Remember, phishing attacks can be very convincing!) One easy way to determine whether an email attachment is safe is to look at the file extension — JPG/JPEG, GIF, TIF/TIFF, WAV, MP3 and MPG/MPEG are typically considered safe. Files with XLS, TXT or DOC extensions are less likely to be secure, so be sure to check with the sender before opening. Files with double extensions or EXE extensions should be avoided as a rule of thumb.
Whether you operate a small-scale nonprofit or an enterprise-level company, email security should be a top priority for every organization. We hope this article has helped you learn more about the different types of threats businesses are up against as well as taught you a few pointers on how to prevent them.
About the Author: Adnan Olia is a senior member of the Intradyn team and is responsible for keeping an eye on the regulatory and technological marketplaces. Adnan provides thought leadership in the archiving and compliance sector to help Intradyn understand the latest trends in business innovation. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.