Industry executives and experts share their predictions for 2020. Read them in this 12th annual VMblog.com series exclusive.
By Peter Goldstein, CTO & co-founder, Valimail
The Year of Email Security Takes Center Stage
Of the many cybersecurity concerns, ransomware
and business email compromise (BEC) have been top of mind in recent months for
all organizations - enterprises, government agencies, nonprofits, and even
school districts. What these two types of attacks have in common is that they
are almost always initiated via email. In fact, more than 90% of all cyberattacks
start with a phishing email. Therefore, locking down inboxes to shut out
malicious emails is critical. The following are my predictions for how email
will continue to be used as a key vector to launch devastating cyberattacks, as
well as the strides that organizations will take to improve email security in
2020.
1. Email security will prove to be the weakest link in election
security.
Many elements of election infrastructure are vulnerable to
email-based attacks, as we saw in both 2016 and 2018. This means email
security must be a priority for defending the integrity of the 2020
presidential election. But research shows the majority of U.S. states are
overlooking this vulnerability. Only 5% of email domains associated with
local election officials across the U.S. have implemented and enforced
Domain-based Message Authentication, Reporting and Conformance (DMARC)
adoption.
DMARC is a widely
accepted open standard that ensures only authorized senders can send
emails from a particular domain. It's one of the most basic and highly
effective means of stopping phishing attacks, which is why the Department
of Homeland Security mandated its use for federal agencies in 2017. Yet
below the federal level, governments remain vulnerable. In May 2019 we
learned Russian hackers breached two county election systems in Florida
via a spear-phishing campaign, and in November we learned of a
phishing-based ransomware attack on Louisiana during an election cycle.
Because only a tiny percentage of counties and states have DMARC
configured in a way that actually enforces a ban on fraudulent senders,
email remains an easy way in for malicious actors looking to disrupt our
elections.
2. DMARC adoption will grow across
industries. Outside of the government, we'll see a
continued increase in DMARC adoption. The number of domains using DMARC
has grown 5x in the last 3 years. We'll see increased growth across
several verticals in 2020 - especially healthcare and government.
Following the lead of the federal government's civilian branches, the
Department of Defense will soon be requiring all of its domains to enforce
DMARC, resulting in an increase in the number of military domains
protected. H-ISAC, a global nonprofit organization serving the health care
sector, has urged health care
companies to adopt DMARC as part of best practices for securing email, and
as a result we've already seen a rise in adoption rates in this vertical.
This growth will continue throughout 2020.
3. Major
brands will lead the way with BIMI.
Brand Indicators for Message Identification (BIMI) is an email standard
that will change the way people interact with their favorite brands via
email. BIMI provides a framework through which an organization can provide
an authorized logo for display in the recipients' inboxes alongside
authenticated email from that organization. We predict BIMI will grow in
popularity, especially among large enterprises and prominent brands that
rely heavily on the trust and engagement of their customers. In fact,
Google will be launching a BIMI pilot in 2020, which will help spur
adoption. Research by Verizon Media has shown that BIMI can increase open
rates and boost customer engagement, giving marketers a big incentive to
support the email authentication that is a prerequisite for BIMI.
4. Ransomware's impact will continue to
rise. Ransomware will continue to plague
organizations with financial losses, both direct and indirect. Most of
these attacks originate via spear phishing, and this will continue to be a
prominent attack method. This tactic has already proven to be costly for
many organizations, including city governments around the U.S. In 2018
alone, the FBI reported $3.6 million in direct losses due to ransomware, and 2019 is
shaping up to be equally devastating. It's entirely plausible we'll see
U.S. losses reach exceed $10 million in 2020, just from ransom payments
(not counting additional losses due to lost business, time, wages, files,
equipment, and third party remediation services).
##
About
the Author
Peter is an MIT and Stanford trained
technologist who has worked in a variety of software verticals including
security, enterprise, email, and video. He has built products and teams at a
number of large technology companies such as RSA Security and Perot Systems, as
well as at small startups like Tout, Securant, and Swapt.