Email Security Bill of Rights for a Trustless World

Join today’s top leaders online at the Data Summit on March 9. Register here.


This article was written by Shalabh Mohan, Product Manager at Area 1 Security

Reports that $1.7 million in NFTs were stolen from OpenSea users in a marketplace phishing attack have thrust email security once again into the global spotlight.

Attack highlights email vulnerability; most estimates suggest that email is the source of over 90% of all successful cyberattacks. And while business email compromise (BEC) attacks represent a small percentage of attacks, they cause the most damage: our data suggests that BECs accounted for 1.3% of attacks, but were thought to have resulted in more than 354 million dollars in direct losses.

Hackers are becoming more sophisticated in their email phishing attempts to steal personal and corporate data. Attackers impersonate recognized brands and use legitimate cloud hosting services such as Google Cloud and Microsoft OneDrive in their arsenal, which can bypass security systems and users. Attackers use social engineering tactics, often stemming from a link in a phishing email, to manipulate and gain unauthorized access to company systems or personal information. Certainly, the most convincing attacks require advanced technology and trained security analysts to identify. Therefore, companies need to re-evaluate their approach to email security and user rights.

Email-based threats have become more difficult to defend against, even with next-generation Zero Trust Network Access (ZTNA) technologies designed to mitigate the lateral movement of harmful applications and scripts.

Education and training are important. However, businesses need effective and responsible email security technologies to bridge the gap between trustless paranoia and human trust. Underlying this security precept is a notion of an “email bill of rights” to restore trust in a modern threat environment. A consumer’s expectation should be that email is secure, the way a car can be driven without breaking down.

Everyone should have a fundamental right to private, reliable, automated and adaptive – and therefore secure – email.

Suggested changes to the Email Security Bill of Rights:

The right of individuals to privacy

Consumers are entitled to an email account whose content should be restricted to intended senders and recipients. In the absence of lawful interceptions, organizations and individuals need peace of mind knowing that the contents of their inbox have been kept safe from the eyes of the authorized account holder.

Account takeover (ATO) fraud, a form of identity theft in which a fraudster gains access to victims’ accounts, and Microsoft Exchange Server-style supply chain attacks, where the mail inbox The electronics used by businesses are made vulnerable by a quartet of scratch-daily exploits, always deserving of special attention. But these shortcomings are not due to “human error” in the traditional sense of the term.

Enterprise internal security organizations should implement robust multi-factor authentication controls and be vigilant in seeking to patch IT vulnerabilities as soon as they are disclosed in order to mitigate cyber threats.

Benefit from a trustworthy system

In a zero-trust security environment, trust can seem like a bridge too far for email communications.

Despite mistrust of IT systems, there should be adequate ZTNA-compliant email security technologies that strike the right balance between zero-trust authentication and authorization and peace of mind. Zero trust does not mean not trusting employees. Businesses can authorize authenticated access based on key trust dimensions while ensuring that data loss can be minimized and incidents can be addressed quickly. Even with state-of-the-art email security technology, organizations must foster a culture of security that is trust-based, yet verifiable.

Automation does not fail

Modern businesses should benefit from an email security solution that minimizes the need for manual interventions and adjustments. Our research has shown that manually analyzing phishing emails that slip through the cracks and adjusting security rules and policies to compensate for them is a hopeless proposition in the face of nimble and sophisticated threats. Additionally, missed threats average less than 0.5% of monthly email traffic. However, it only takes one missed threat to cause a security disaster that damages business operations and costs millions.

Artificial intelligence (AI) and automation can keep business inboxes clean, relevant, secure, trustworthy and reliable. By harnessing the power of automation, companies can delegate their security and IT staff to focus on critical risk priorities, while AI-powered applications quickly, reliably and accurately filter emails large-scale pests. With businesses processing hundreds of millions of incoming emails daily, the need for automated threat detection has never been greater.

Adaptability, being necessary

Phishing campaigns are about human behavior. That email from your favorite retailer about a special offer just for you? Attackers use this technique to trick people into clicking on links that take them to fake websites where they reveal personal or corporate information. Examining these behaviors and how people interact with their email can help determine if their actions are safe or pose a security risk. Therefore, email security technology must be adaptive. Inbox filtering technologies should deploy continuous learning and advanced analytics to facilitate continuous understanding of new threats.

Cybercriminals leverage sophisticated technologies to launch phishing attacks, whether spear phishing, which targets specific individuals with what appear to be authentic reports of vishing documents, or voice phishing, which involves fake messages voice messages or e-mails containing files or voice messages. that are designed to trick a victim into calling back to provide personal information that will be used in further attacks. Defenders must assume that attackers are leveraging advanced technology and seeking to maintain an edge in the relentless cyber arms race.

The key is to constantly push the boundaries of machine learning and data science and to allocate significant resources to cyber threat research. This way, companies can assure their customers that they are constantly moving on the same spectrum as the next generation of email-borne threats.

We, the mail users

Faced with increasingly sophisticated threats, it is time for companies to rethink their email security strategy. The cybersecurity community can help businesses mitigate cyber threats at source and restore trust in an increasingly trustless Web3 world.

It is not unreasonable in 2022 for consumers to expect the right to privacy, trust, security and accountability from their messaging services. It is no longer a luxury, but a necessity in a world dependent on digital communications.

Shalabh Mohan is Product Manager of Zone 1 Security.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.

If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider writing your own article!

Learn more about DataDecisionMakers