Email security bill of rights for a zero-trust world

This article was contributed by Shalabh Mohan, the chief product officer at Area 1 Security

Reports that $1.7 million in NFTs has been stolen from OpenSea users in a phishing attack on the marketplace have thrust email security, once again, into the global spotlight.

The attack highlights the vulnerability of email; most estimates suggest that email is the root cause of more than 90% of all successful cyberattacks. And although business email compromise (BEC) attacks make up a small percentage of attacks, they cause the most damage: Our data suggest that BEC accounted for 1.3% of attacks but would have resulted in over $354 million in direct losses. 

Hackers are becoming more sophisticated in their phishing email attempts to steal personal and company data. Attackers are impersonating recognized brands and using legitimate cloud hosting services such as Google Cloud and Microsoft OneDrive in their arsenal, which can bypass security systems and users. Attackers are using social engineering tactics, often originating in a link contained in a phishing email, to manipulate and gain unauthorized access to company systems or personal information. To be sure, the most convincing attacks require advanced technology and trained security analysts to identify. Consequently, companies must reevaluate their approach to email security and users rights.

Email-based threats have become harder to defend against, even with next-generation zero-trust network access (ZTNA) technologies designed to mitigate the lateral movement of harmful applications and scripts.

Education and training are important. However, companies need effective and accountable email security technologies to bridge the gap between trustless paranoia and human confidence. Underpinning this security precept is a notion of an “Email Bill of Rights” to restore trust in a modern threat environment. A consumer’s expectations should be that email is secure, much the way a car can be driven without breaking down.

Everyone should have a fundamental right to email that is private, trustworthy, automated, and adaptive — and consequently secure.

Suggested amendments for the Email Security Bill of Rights:

The right of the people for privacy

Consumers have the right to an email account, the contents of which should be reserved for senders and intended recipients. Absent lawful intercepts, organizations and people should rest easy knowing the contents of their inbox have been safely preserved for the eyes of the authorized account holder.

Account takeover (ATO) fraud, a form of identity theft in which a fraudster gains access to victims’ accounts and Microsoft Exchange Server-styled, supply-chain attacks, where the email inbox used by companies is rendered vulnerable by a quartet of zero-day exploits, still warrant special attention. But these breaches don’t stem from “human error” in the traditional sense.

Companies’ internal security organizations must implement robust multifactor authentication controls and vigilantly look to patch IT vulnerabilities as soon as they are disclosed to mitigate cyberthreats.

Shall enjoy a trustworthy system

In a zero-trust security environment, trustworthiness may seem like a bridge too far for email communications.

Despite mistrust in IT systems, there should be adequate ZTNA-ready email security technologies that strike the right balance  between zero trust’s authentication and authorization and peace of mind. Zero trust doesn’t mean not trusting employees. Companies can allow authenticated access based on key trust dimensions while ensuring data loss can be minimized, and incidents can be addressed quickly. Even with bleeding-edge email security tech, companies need to foster a security culture of trust – but verify.

Automation shall not be denied

Modern enterprises should enjoy the benefit of an email security solution that minimizes the need for manual intervention and fine-tuning. Our research has shown that manually analyzing phishing emails that slip through the cracks, and tuning security rules and policies to compensate for them is a hopeless proposition, when dealing with agile and sophisticated threats. Additionally, missed threats make up less than 0.5% of monthly email traffic, on average. However, it only takes one missed threat to cause a security disaster that damages a company’s operations and costs millions. 

Artificial intelligence (AI) and automation can keep company inboxes clean, relevant, safe, trustworthy, and reliable. By harnessing the power of automation, companies can delegate their security and IT personnel to focus on critical risk priorities, while AI-powered applications rapidly, reliably, and accurately filter out harmful emails at scale. With companies handling hundreds of millions of incoming emails daily, the need for automated threat detection has never been greater.  

Adaptiveness, being necessary

Phishing campaigns are about human behavior. That email from your favorite retailer about a special offer that is just for you? Attackers are using this technique to lure people to click links that direct them to fake websites where they reveal personal or company information. Looking at these behaviors and how people interact with their email can help to determine whether their actions are safe or if they pose a security risk. As a result, email security technology should be adaptive. Inbox filtering technologies should be deploying continuous learning and advanced analytics to facilitate an ongoing understanding of new threats.

Cyber-threat actors are leveraging sophisticated technologies to launch phishing attacks, be it spear phishing that targets specific individuals with what appear to be authentic reports of documents to vishing, or voice phishing, which involves fake voice messages, or emails containing files or voice messages that are designed to lead a victim to call back to provide personal information which will be used in other attacks. Defenders must assume that attackers are leveraging advanced technology and seek to maintain an edge in the relentless cyber-arms race.

The key is constantly pushing the limits of machine learning and data science and allocating significant resources to cyber-threat intelligence research. This way, companies can assure customers that they are constantly evolving across the same spectrum as the next generation of email-delivered threats.

We, the email users

Facing increasingly sophisticated threats, it’s time for companies to rethink their email security strategy. The cybersecurity community can help companies mitigate cyber-threats at the source and restore trust in an increasingly trustless Web3 world.

It is not unreasonable in 2022 for consumers to have the expectation of the right to privacy, trust, security, and accountability from their email services. This is no longer a luxury, but a necessity in a world reliant on digital communications.

Shalabh Mohan is chief product officer of Area 1 Security.