Implementation Guidance: Email Domain Protection
The state of the world in 2020 is unlike anything we have ever experienced before. The complexities of living and working safely during the COVID-19 outbreak have trickled down to the IT world as criminal threats follow workers home. Financially motivated attacks on worker email accounts have only multiplied since the beginning of the pandemic.
Why do hackers and other criminal actors focus on email?
Email connectivity is the common connective thread among commercial and no-profit organizations of all sorts. The necessity of email communication makes it the most popular attack vector against organizational cybersecurity, both within and outside organizations. Spoofing attacks threaten email accounts within organizations, and phishing attacks threaten brand integrity outside organizations. Cyber threat actors are constantly developing and trying out new tactics, techniques, and procedures to identify and exploit weaknesses in email security.
Research firm Vanson Bourne conducted a survey of 1,025 IT managers in eight countries in February and March of 2020. Their respondents reported heightened concerns about email domain protection. The survey tallies found that:
- 51 percent had experienced a ransomware attack in the last 12 months.
- 58 percent had experienced an increase in phishing attacks.
- 60 percent had seen an increase in impersonation fraud in the last year.
- 60 percent had downtime from an attack that spread from one employee’s infected computer to the computers of other employees.
- 77 percent had discovered weak passwords.
- 85 percent believed email attacks would increase over the coming year.
- 90 percent identified deficiencies in training employess against email attacks.
The human firewall
Email attacks can disrupt communications within an organization and with its customers. Even worse, email attacks can infect customer computers, not only taking them out of commercial communications but also creating a potential courtroom liability for the company whose computer forwarded the threat.
About 50 percent of all email attacks involve employee error. These security breaches hat only happen because some human employed by the company that is being attacked makes a preventable error. More than any software package, more than DomainKeys Identified Mail (DKIM), more than Sender Policy Framework (SPF), and more than Domain-Based Message Authentication, Reporting, and Conformance (DMARC), employee training ensures email security.
Employee training is the “human firewall,” the last line of defense against cyberattacks. But the Vanson Bourne survey found that only 21 percent of companies train employees on email security the recommended once a month, and 17 percent devote only 15 minutes a year to using employee assets to guarantee email security. The survey also found that employess who did not receive monthly cybersecurity training were five times more likely to click on a malicious link than those who did.
How do companies that recognize the need for training know that their programs will make a difference? IT managers in the survey tell us that effective training:
- Effective cybersecurity training is inclusive. Everyone from the CEO to the an entry-level employee working the first day on the job needs to be aware of current cybersecurity threats.
- Effective cybersecurity training is engaging. Too many companies recite bullet points and expect employees to regurgitate them for a multiple choice test to certify emplyee email domain protection training. Cybersecurity principles should not be restricted to the classroom. Cybersecurity principles need to be enforced throughout the day, every day.
- Effective cybersecurity training is global. Training reaches across cultures and languages in the company. Every employee is a stakeholder in cybersecurity.
Company IT departments do not have to create their own cybersecurity training. Cybersecurity training is always an appropriate task for outsourcing. Dedicated contractors for cybersecurity services have more resources to stay up to date on the latest threats and more experience dealing with diversity in the workplace. But email domain protection requires more than just the human firewall.
So, how can companies improve their cybersecurity. Let’s consider several underutilized tools.
Domain-based Message Authentication, Reporting & Conformance (DMARC)
Domain-based Message Authentication, Reporting & Conformance, also known as DMARC, is an email validation tool engineered to expose use of an email domain without authorization. DMARC ultimately blocks delivery of unathenticated email. On the sender side, this system protects the supply chain and customers by keeping tabs on emails sent in the name of the company. On the receiver side, it protects employees by detecting fraudulent senders.
Survey data find that IT managers are aware of DMARC, but most companies don’t use it. Only 28 percent of companies surveyed have deployed DMARC in their cybersecurity programs.The reason so few companies use DMARC in email protection is that many senior executives don’t realize what it really does.
What is appropriate implementation of DMARC?
DMARC protects data. Data breaches have quantifiable implications. When an email system is compromised, software engineers can estimate the number of customers affected, the dollar value of downtime and lost sales, the number of compensated hours necessary to get email systems up and running again.
But DMARC also protects brands. Customers shy away from vendors with known cybersecurity issues. Spoofing and phishing emails reflect badly on their apparent senders and the employees who forward them. This is the case even when the company owning the email domain is innocent of any intentional wrongdoing.
Damage to data is costly. Damage to brand can be catastrophic. The cost of data recovery may only result in a bad quarterly report, but the loss of brand value can hurt the company for years to come. Companies that protect their brands put the budget for DMARC at least partially in the deparments most intimately involved in data security.
The problem isn’t that companies aren’t aware that brands are valuable. In the cybersecurity survey, 98 percent of responding companies reported that they have a budget for brand protection. The issue that comes up with cybersecurity is who controls the budget for cybersecurity. If the budget for DMARC is managed by the Chief Financial Officer (CFO) or the chief legal officer, the company may not respond to cyberthreats quickly enough. The IT department needs to have at least a partnership with other executive functions in managing resources for DMARC.
The IT department needs to have resources for immediate threats to cybersecurity. The Chief Financial Officer can manage longer-term risks to the company and budgeting.
Why do we need DMARC? Aren’t we already protected by SPF, DKIM, and Microsoft 365?
DMARC is not the only tool of email domain protection. Many organizations deploy SPF and DKIM, or rely on Microsoft 365 features for cloud email. There are problems with all of these systems.
SPF (Sender Policy Framework) is system that retrieves an SPF record associated with the sender’s domain, and verifies that the IP address the record contains has been authorized. Emails from unauthorized senders may be marked as accepted, marked as suspicious, or rejected, but this action depends on information in the sender’s SPF record. DKIM (DomainKeys Identified Email) authenticates messages with a cryptographic signature using a publicly available key. Emails that lack a verified signature are rejected.
The problem with both of these systems is that they identify domain names that may be different than the domain name in the sender line. A threat actor can implement SPF and DKIM for a malicious domain, and include a trusted domain in the sender line. On the other hand, legitimate messages may be rejected if SPF and DKIM are not properly configured.
DMARC was created to overcome these issues.
Cloud email systems are also at risk of attack. Of businesses surveyed by Vason Bourne that use MicroSoft 365, almost 60 percent reported an outage in the past year. There is no built-in continuity in Microsoft to cover communications during an outage. Emails sent to the company during an outage are lost. Salespeople understandably resort to using private email accounts to maintain contact with customers, placing their emails outside protection protocols. In a time of shortages and supply chain disruptions, like the current COVID-19 pandemic, even brief outages of email can result is significant lost business or added cost.
Seven cybersecurity challenges for businesses large and small and how to meet them
The bottom line for cybersecurity in 2020 is that organizations of every size face ever-increasing security challenges in at least 10 categories.
- Email is the most likely target for cyberattacks. Email domain security will be an issue for a majority of companies and non-profit organizations this year.
- Phishing, spoofing, impersonation, and other compromises of business email will only increase during the rest of 2020. The Mimecast Threat Center documented a 30 percent increase in business impersonations in just the first four months of this year.
- Ransomware isn’t going away. Half of business suffered three days or more of downtime due to ransomware attacks in 2019.
- In 60 percent of cyberattacks, malicious code is spread from employee to employee. Clicking on a bad URL is the most common source of the problem.
- MicroSoft 365 is not sufficiently resilient for safe use without IT upgrades. And employees affected by MicroSoft 365 outages must be constantly reminded not to use personal email accounts.
- Budget ownership has a significant effect on how quickly organizations can respond to an attack. Company IT needs to share ownership of resources to respond to data breaches.
- Looking beyond email domain protection to brand protection is a security frontier companies can no longer afford to ignore. Cyberattacks have consequences beyond loss of data. They also affect market position.
Business as usual is a dangerous policy in 2020. Organizations of all sizes face more threats to cybersecurity than ever before. And company IT staffs are more tressed than ever as they try to meet security challenges.
Those are the reasons more and more companies are choosing to outsource their email domain protection functions. Downloading security software is no longer enough. Companies of all sizes need the dedicated expertise of cybersecurity experts to keep their communications up and running so they can focus on proving to the world they are still doing what they can do best.