Email: Adapting to the riskiest business tool

Almost every organization freely admits that people are the biggest risk to their security and are most vulnerable when using email. While the 'outbound' risk of an employee accidentally or intentionally leaking data is very clearly categorized as an insider risk, even a phishing attack that originates from outside the organization requires an insider to, essentially, open the door.

And it’s a valuable vulnerability for threat actors to be aware of; the FBI reported that Business Email Compromise (BEC) scams accounted for $50 billion in losses between June 2016 to December 2022.

Threat actors can be incredibly sophisticated and intentional, planning targeted attacks based on the greatest likelihood of success. Our recent Pulse Report found that, overall, those leading security, risk, and compliance functions were least targeted by phishing attacks, with cybercriminals likely to anticipate lower success rates due to their greater security awareness. Instead, they set their sights on potentially less threat-conscious victims who also typically have greater access to funds, systems, and data, such as Chief Finance Officers who find themselves the number one target.

As this shows, email risk is personal. People are specifically targeted based on likelihood of success, different people will make different mistakes, and individuals who intentionally exfiltrate data know how to mask their behavior from detection by traditional controls. So, how do we overcome the threat?

The answer: adaptive security. Organizations need to utilize an adaptive security architecture that tailors security controls to the real-time risks that each employee poses, whether that’s because they’re in cybercriminals’ crosshairs or because their behaviors have increased risk.

Outbound threats, inbound threats

Our research found 91 percent of organizations surveyed had an outbound email data breach exposing the company to risks of reputational damage, regulatory action, and customer and employee churn. These email data breaches can be traced back to three types of employees:

1. The accidental insider: someone who makes a genuine mistake, such as adding the wrong recipient or attaching the wrong file to an email.
2. The 'reckless' employee: the person who knowingly breaks the rules with the 'best of ' or 'for the good of the company', for example sending data to a personal account so they can work away from the office.  
3. The 'malicious insider': someone acting intentionally to harm the company or for self-gain e.g., this employee takes data with them to a new job.

Despite preconceptions, it is far more likely that the under-pressure employee will cause an outbound breach than a malicious insider. The Egress team analyzed platform data for over 1.7 million outbound emails within Microsoft 365, examining the types of data loss prevention (DLP) prompts delivered, and found that data exfiltration accounted for only 29 percent and included both reckless behavior and malicious exfiltration.

Human error, meanwhile, triggered 69 percent of these security prompts. Accidental breaches such as these are difficult to combat -- it’s virtually impossible to train away human error. However, with the use of machine learning, it’s possible to understand how each employee uses email -- from the individuals and groups of contacts they communicate with, to the types of content they share. When their behavior deviates from the norm, they can be alerted to their mistake before an incident happens. Add to this the use of an adaptive security architecture, and it’s possible to tailor controls and education based on real-time risk, better preparing individuals and organizations to prevent data leaks. Without this type of real-time intelligent detection and analytics, it is up to the employee to detect and report an incident themselves, which means many mistakes pass under the radar.

In terms of inbound phishing attacks, our research shows that 92 percent of organizations have fallen victim and subsequently experienced financial losses associated with customer churn, reputational damage, and employee turnover. The Egress team analyzed 500,000 phishing emails within Microsoft 365, finding social engineering tactics were present in 39 percent of attacks, pressuring recipients to engage.

Traditional approaches to anti-phishing defenses that rely on signature-based and reputation-based detection are limited to identifying attacks that are 'known bad' -- e.g., containing a malicious payload that exists in their definitions libraries or sent from accounts that don’t pass domain checks. Similarly, advanced attacks are harder to spot, so organizations should not rely on employees to accurately detect attacks based on security training modules completed weeks or months ago.

In fact, without the use of advanced detection capabilities, such as natural language processing (NLP) in anti-phishing technology, it is practically impossible for organizations to detect text-based social engineering attacks or those containing a zero-day or emerging payload. But going one step further, with more insight available, it would suddenly be possible to anticipate when an employee is about to become a target and put proportional controls in place.

Getting personal with email risk

Employees need safety nets to stop email security incidents from happening, whether they’re caused by stress, social engineering, or intentional actions. Alone, the traditional security awareness and training (SA&T) modules that most companies have in place currently isn’t enough, with 46 percent of IT leaders surveyed expressing concerns employees weren’t engaging properly with the content and instead skipping through the training as quickly as possible. To assist in fielding these challenges, intelligent email security combined with an adaptive security architecture works to detect the broad spectrum of inbound and outbound email threats, and automate tailored defenses based on risk. SA&T can be augmented through easy-to-understand messaging that explains the specific threats beings neutralized.

Ultimately, this sort of holistic approach supports an employee throughout their lifecycle at the company as SA&T and technical controls are viewed as one throughout the business. The burden on security teams is also lightened as automation helps eliminate administrative management. The continued goal is to achieve enhanced inbound and outbound email security which is enabled through an adaptive security architecture, intelligent email security, and increasing the effectiveness of user training using real-time teachable moments.

Photo Credit: Balefire/Shutterstock

Tony Pepper is CEO and Co-founder, Egress.