IT disaster recovery, cloud computing and information security news

While the vast majority of CISOs implement email security, there’s an elephant in the room, that urgently needs to be prioritized. Deryck Mitchelson explains…

Email security compromises are among the most frequent in cyber, but does this really need to continue, given the tools and resources available to security leaders? 

The vast majority of CISOs do implement email security. However, there’s an issue that needs to be addressed. CISOs are often blindsided by this problem – they just don’t see it at all. The problem is that CISOs do not know whether or not their email security is actually working and if so, to what extent.

When asked about how they know that their current level of email security is providing the correct level of protection, many CISOs simply lack an answer. They’ve got nothing. They don’t know about the number of dangerous links that have been clicked on. They don’t know if the number of phishing emails coming in is increasing or decreasing. And they’re not improving rules around quarantining or releasing emails. They’re not even in the operational space. Despite around 90 percent of cyber attacks originating from an email, it is seen as a black box.

While CISOs can automate 99 percent of email security management, allowing automation to do the heavy lifting, there’s still 1 percent of the job that cannot be automated. It’s that 1 percent that CISOs and cyber security professionals are not paying attention to.

CISOs commonly have the impression that with certain products, such as Microsoft Office 365, email is natively secure or ‘secure enough’. However, unless a CISO has a team that is managing the product — dissecting the logs, working with the dashboards and scrutinizing ingress traffic — CISOs cannot actually understand the level of the email threat. And do some CISOs take their eye off of the email security risk? Probably. Is there an assumption that cloud security providers are managing email risk for security leaders? Probably.

Another truth is that email security is just not a hot topic. It’s not sexy. So cyber security leaders don’t want to be in that space. They would prefer to be in the space of orchestration technologies, DevSecOps technologies, and cloud technologies.

In addition, because email has been around for decades, some security professionals might not believe just how vicious a modern email threat can be. They don’t really see an email as a high level threat, with an elevated level of risk.

For CISOs who do strive to guard against email threats, since CISOs may not get what they need from the dashboards, or because there may not be a report that provides a high-level overview of relevant email threat metrics, some are struggling to understand what exactly the email threat is and how to articulate it. Other security leaders might not even understand the magnitude of the threat until an attack is already in-motion and the email is in the inbox.

CISOs need to understand the level of overhead involved in inadequate email security; what it’s costing the business, and what that risk is.

For example, prior to joining Check Point, my Security Operations teams spent all of 30-40 percent of their time managing emails.

That’s huge. Absolutely huge. For an organization that’s building their organizations internally, that’s a considerable amount of their time. I would go as far as saying that you could probably save several headcount from your team with proper email security.

Where to start improving email security

First of all, automating email security as much as possible is critical. CISOs should rely on really strong preventative technologies to automate and take away most of the risk. Secondly, security leaders need to ensure that the solutions implemented genuinely strengthen what is offered by cloud security providers, such as Microsoft (O365) or Google (Gmail).
Also, inline is important because inline means that it has the capability to prevent very quickly. And that’s what critical with email. A malicious rule can move an email before it is seen hiding an account compromise. A link will take a user to a hoax website that perfectly impersonates the actual one. Security leaders need to have that inline solution; preventing things from getting to mailboxes, thereby preventing compromise

Some frameworks do talk about best practices around email security and email security gateways. I’ve seen NIST talk about that. But best practices are just that; best practices. They’re not mandated.
I also wonder about the extent to which CISOs really consider what they’re purchasing. For instance, if security leaders are buying both an email client and purchasing email security from the same vendor, maybe it’s time to consider a secure email provider, which can greatly enhance email security. Or maybe it’s time to shift to a layered approach to email security.

What else can be done to evolve email security

At every conference, every security professional talks about email security as a #1 priority. But I have not found any organization that I think does it properly.

It just takes one malicious email to bring down an entire organization. One single malicious email could cost a business four or five million dollars in threat clean-up, remediation and legal expenses, should an employee click on the email.

Prevent threats from ever reaching users’ inboxes. Obtain security that blocks what the default layers of security miss. Develop and demonstrate expertise in measuring email threat metrics, present the results to management and the board, and continue to optimize your email threat prevention architecture.

The author

Deryck Mitchelson is Field CISO EMEA, Check Point Software.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.