Virtualization Technology News and Information
Valimail 2021 Predictions: Email Security Best Practices for 2021

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

Email Security Best Practices for 2021

By Alexander García-Tobar, co-founder and CEO, Valimail

2020 has been a most unusual year with a global pandemic and a contentious U.S. election. At Valimail, our chief concern during this time has been email security - authenticating communications and keeping email a trustworthy means of communication. This year has served up plenty of lessons for organizations and security professionals. As the Valimail leadership team looks ahead, we recommend the following best practices for email security in 2021 and beyond.

2021 CISO focus

"CISOs will go back to the basics in 2021 and implement security best practices before embarking on more advanced approaches. The fact is that only 10% of enterprise users use multi-factor authentication and less than 20% of companies in most industries are protected with email authentication. Yet, these are basic best practices which are widely acknowledged as highly effective by analysts, security experts and industry consortia.

Additionally, with the increased focus on election security and state actors, C-suite executives need to be better informed on the importance of digital security. To facilitate that, the way security information is relayed will need to improve. Having board members and executives' eyes glaze over upon hearing the word ‘security' means we are not speaking their language. In 2021, technology and security professionals need to better translate the benefits of security into not only cost savings but also the fundamental competitive advantages it provides."

A new approach to email security

"We are to a point where criminals have automated phishing. Google reports that the typical boutique phishing campaigns last only seven minutes and there are now nearly infinite sender fraud combinations criminals can - and do use - to modify their attacks in order to evade detection.

In 2021, a zero-trust approach to email security will gain traction - if only out of necessity. A zero-trust approach cuts off impersonation-based phishing attacks entirely by enabling delivery of trusted email senders only. In short, zero-trust focuses on the finite number of good senders as opposed to trying to detect an infinite variety of bad ones.

We need to approach email security differently than we have for the past two decades by building a more effective approach with a secure foundation of zero-trust identity authentication and then layering existing methods (content filtering, end-user training, etc.) on top."

2021 is the time to protect election-related domains

"Our report, 2020 Election Infrastructure Remains Vulnerable to Email Hacking, showed that only 15% of domains for campaigns and PACs are protected from spoofing with DMARC enforcement, and the vast majority of state and local government domains remain unprotected by DMARC enforcement. In 2021, we must prioritize protecting election infrastructure against email-based attacks. Because 2021 is not an election year in the United States, it is an excellent time to prepare our systems before the next midterm elections.

Fortunately, the federal government has provided an excellent model for how to do this with its 2017 DHS directive, BOD 18-01. That directive worked and has resulted in vastly improved email security for the federal government. Now state and local governments must follow suit and the federal government can help by mandating email security best practices and providing a guide, just as it did for federal agencies in 2017."

Peter Goldstein, co-founder and CTO of Valimail:

AI is not a panacea for email security

"An AI-only approach to email security will never be as effective as a layered approach based on sender identity authentication and strong client authentication for logins (such as multi-factor authentication) complemented by AI analysis. That's because anything you can defend with AI can also be attacked with AI. For instance, an efficient phishing email is indistinguishable on a content basis and knowledgeable scammers can develop plausible sounding phishing messages, often without any malicious content, links or attachments that would trigger an AI. An AI tool that only scans email content can easily be misled and allow bad actors through. While AI and machine learning can be important in internal data analysis, they don't - and will never be able to - help organizations establish authentic, good email behavior. We do not anticipate seeing a true AI tool for email security that would ensure 100% protection anytime in the next five years."

Seth Blank, vice president of standards and new technologies at Valimail:

Increase in fraud due to COVID

"COVID-19 increased fraud in 2020 and the problem will only get bigger in 2021. The issue is that people aren't taking fraud seriously enough. Solutions are available but businesses often lack awareness and understanding. People seldom realize fraud is an issue until they are staring down a massive data breach or phishing attack. The only way to change this is to place a priority on fraud detection and protection."

Multi-factor authentication is a must for 2021

"Instituting a multi-factor authentication process will be the next big email security practice to implement in 2021. This means all parties must first confirm their identities through email and then a second time through texts to their phones or preferably with codes from an authentication app or hardware security token. Currently, only some of the biggest companies that send the most emails have multi-factor authentication in place. But these extra levels of security should be built in from day one. If they aren't, people don't want to go back and do extra work to protect themselves and their companies from risk. Security as a whole is a hard thing to talk about because most people don't care about the implications until it is too late and a data breach or phishing attack is upon them."

No Auth/No Entry policy won't exist until 2025

"The email security industry won't see a mandatory ‘No-Auth/No-Entry' policy until 2025. However, such a policy is the ecosystem's goal. No-Auth/No Entry means that no mail will be delivered if the source is definitely unknown. In order for an organization to have strong authentication in place, security systems need to know who is trying to email from a domain and if that sender deserves to get through to the inbox. This allows anti-abuse protections to be deployed effectively and regularly until proof the email should be delivered exists.

Unfortunately, we will not reach this point until organizations are given a deadline to require authentication as a mandatory security layer. In other words, if you do not have authentication, you will never get through to the inbox.

While we won't see such a policy until 2025, we can expect other industry leaders to recognize this issue, call for such a policy and truly begin to implement it for new systems in the next 18 months to 2 years. It's in the best interest of the email ecosystem to get a ‘No-Authorization, No-Entry' policy applied as widely as possible."


About the Author

Alexander Garcia Tobar 

Alexander García-Tobar is the CEO and co-founder of Valimail. He served as CEO at two previous firms and ran global sales teams for three companies that went IPO. Alexander held analyst and executive positions at leading research companies, such as The Boston Consulting Group and Forrester Research, along with Silicon Valley startups, such as ValiCert, Sygate and SyncTV.

Published Thursday, December 17, 2020 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2020>