By: Bashar Bashaireh, Managing Director, Middle East & Turkey, Cloudflare
Email is the most exploited business application. It is the primary initial attack vector for cybersecurity incidents, and contains vast amounts of trade secrets, PII, financial data, and other sensitive matters of value to attackers. On top of that, email is one of the hardest applications to secure. If it were simple, there would be fewer headlines about business email compromise (BEC) losses topping $50 billion, and fewer breaches resulting from someone falling for a phish. Once an attacker has infiltrated one email account, they can move laterally and impact a wide range of internal systems. Phishing is as common in the public sector as it is in the private sector and besides the obvious financial implications, there is also the issue of damage to the reputation of the enterprise.
Cloudflare recently published its 2023 Phishing Threats Report. The three key takeaways are:
- Attackers use links as the #1 phishing tactic — and are evolving how they get you to click and when they weaponize the link.
- Identity deception takes multiple forms and can easily bypass email authentication standards.
- Attackers may pretend to be hundreds of different organizations, but they primarily impersonate the entities we trust (and need to get work done).
Below are some recommendations that will help organizations stay out of the Phishing trap:
Secure email with a Zero Trust approach – Despite email’s pervasiveness, many organizations still follow a “castle-and-moat” security model that trusts messages from certain individuals and systems by default.
With a Zero Trust security model, you trust no one and nothing. No user or device has completely unfettered, trusted access to all apps — including email — or network resources. This mindset shift is especially critical if you have multi-cloud environments and a remote or hybrid workforce.
Don’t trust emails just because they have email authentication set up, are from reputable domains, or “from” someone with whom you have a prior communication history. Choose a cloud email security solution rooted in the Zero Trust model and make it more difficult for attackers to exploit existing trust in “known” senders.
Augment cloud email with multiple anti-phishing controls – A multi-layered defense can preemptively address high-risk areas for email exposure, including:
- Blocking never-before-seen attacks in real time, without needing to “tune” a SEG or wait for policy updates
- Exposing malware-less financial fraud such as VEC and supply chain phishing
- Automatically isolating suspicious links or attachments in email
- Identifying and stopping data exfiltration, particularly via cloud-based email and collaboration tools
- Discovering compromised accounts and domains attackers use to launch campaigns
More organizations are choosing a layered approach to phishing protection. As noted in The Forrester Wave: Enterprise Email Security, Q2 2023, “The email security vendors you work with should demonstrate an ability to connect and share data with each other and with key tools in your security tech stack.
Adopt phishing-resistant multi-factor authentication – Any form of multi-factor authentication (MFA) is better than none, but not all MFA provides the same level of security. Hardware security keys are among the most secure authentication methods for preventing successful phishing attacks; they can protect networks even if attackers gain access to usernames and passwords. Consider replacing MFA methods like SMS or time-based OTP with more proven methods like FIDO-2 compliant MFA implementations.
Applying the principle of least privilege can also ensure hackers who make it past MFA controls can access only a limited set of apps, and partitioning the network with microsegmentation can prevent lateral movement and contain any breaches early.
Make it harder for humans to make mistakes – The larger your organization, the more each of your teams will want to use their own preferred tools and software. Meet employees and teams where they are by making the tools they already use more secure, and preventing them from making mistakes.
For example, email link isolation, which integrates email security with remote browser isolation (RBI) technology, can automatically block and isolate domains that host phishing links, instead of relying on users to stop themselves from clicking.
Establish a paranoid, blame-free culture – Encouraging an open, transparent “see something, say something approach” to collaborating with your IT and security incident response teams 24/7 helps get everyone on “team cyber.”
Minutes matter during attacks. Establishing a paranoid but blame-free culture that reports suspicious activity — as well as genuine mistakes — early and often helps ensure incidents (no matter how rare) are reported as soon as possible.