No room for complacency in e-mail security

Brian Pinnock, cyber security expert, Mimecast.
Brian Pinnock, cyber security expert, Mimecast.

Even though most South African organisations employ two layers of security to help protect their e-mail from cyber attacks, they should avoid becoming too complacent in the face of the growing sophistication and ever-changing nature of cyber threats.

That’s the view of Brian Pinnock, cyber security expert at Mimecast, who maintains that organisations need to look at implementing highly specialised security solutions to counter the increasingly sophisticated cyber attacks.

This is despite that fact that Mimecast’s “Business Email Platform” research report found that compared to other markets, South African organisations believe they are well-placed to protect themselves against a wide range of e-mail-borne cyber attacks.

The report, which was based on a survey of 331 South African IT and security directors in early 2021, looked at whether IT decision-makers trusted the security bundled with their business e-mail services or whether there was a need for supplementary solutions; how well organisations were implementing layered security strategies; and which type of cyber attacks they were most concerned about.

The survey found that respondents claimed to have high levels of confidence in their built-in e-mail platform security – 80% said their e-mail platform is designed to offer business e-mail compromise (BEC) protection and 77% said it offers zero-day threat protection. Yet 29% of respondents said they don’t trust their e-mail platform to stop all cyber attacks, and this rate rose to 36% in the financial services and public sectors. The last year has seen a major shift in the threat landscape; the rise in ransomware has been particularly worrying for security leaders. Thirty-eight percent of all respondents said their e-mail platforms don’t offer adequate ransomware protection.

Pinnock believes it’s for this reason that nearly all (95%) respondents confirmed using third-party solutions in addition to that offered by their e-mail providers to help secure their e-mail against cyber threats.

Mimecast’s survey respondents reported an average 3.2 e-mail service outages per year. In the public sector, the rate of outages is even higher at nearly four (3.8) per year.

E-mail outages are caused by scheduled maintenance by an organisation’s IT team or the e-mail service provider experiencing a technical issue. But it can also be due to the organisation’s IT teams having to take systems offline in an attempt to contain a cyber attack.

Because e-mail has become indispensable to business communication, an e-mail outage can wreak havoc throughout an organisation – for example, when an e-mail outage prevents users from sending or receiving e-mail, business grinds to a halt. In the public sector, especially during the ongoing pandemic, this could significantly undermine the delivery of essential services to those most in need.

Another important consideration around e-mail security for local organisations is the need to comply with the POPI (Protection of Personal Information) Act. E-mail contains a wealth of customers’, suppliers’ and employees’ personal information.

POPIA requires organisations to take “all reasonable steps” to protect all information spread across their organisation. This means they have to implement tools and controls that can help manage the collection, processing and storage not only of structured data, but of the types of unstructured data often found in e-mail systems as well.

“The importance of e-mail security cannot be overstated,” Pinnock says. “Over the last few years, research has shown that around 90% of all cyber attacks start with e-mail. Think about it: E-mail systems are always on; they’re a trusted communications channel between individuals and organisations; they can carry links and attachments; and they can be impersonated easily.

“So, for cyber criminals hoping to penetrate corporate defences to steal confidential information, use the organisation’s brand to defraud its customers or simply disrupt business operations, attacking the e-mail system is cheap, simple and highly effective.”

According to Pinnock, this means that South African IT decision-makers can’t afford to be complacent. “Frequent e-mail outages suggest their security posture might not be as sturdy as their confidence indicates, with outages creating opportunities for innovative attackers,” he adds.

Meanwhile, the threat landscape is also evolving rapidly. The COVID-19 pandemic has shifted the on-premises working environment to remote or hybrid models – and many employees who now work from home often engage unwittingly in risky user behaviour.

Opportunistic cyber attackers are doing everything they can to capitalise on this transformation, with over 80% of survey respondents reporting that cyber attackers had become more sophisticated since the start of the pandemic. Over 70% noted an increase in security issues involving e-mail. Worryingly, seven out of 10 (72%) found that e-mail-borne attacks were now more likely to find some measure of success.

In light of this, 85% of organisations surveyed said they were accelerating their digital transformation plans in an attempt to better protect themselves against cyber threats.

“IT decision-makers must be alert to new vulnerabilities at all times,” Pinnock says. “E-mail remains the number one business application. It is now even more important to the effective running of an organisation with the switch to remote or hybrid work models and the implementation of POPIA.

“The almost universal practice in South Africa of organisations implementing additional layers of security on top of security built into business e-mail platforms points to growing recognition that defence-in-depth is necessary in the current threat landscape.

“However, with the sharp rise in the number of all attack types over the past year, and an increasing reliance on a few dominant e-mail platforms, organisations are at unprecedented risk from e-mail vulnerabilities. They therefore need to deploy specialised security solutions that offer the best-in-class protection against specific attack types to be assured of the best overall resilience,” Pinnock concludes.

Share