Virtualization Technology News and Information
Email Security: A Critical Need for Protecting Vital Information

By Alexander García-Tobar, CEO and co-founder, Valimail

In October, we recognize Cybersecurity Awareness Month. While big stories about major attacks disrupting networks and utility services - or hacks into major brands' databases to steal sensitive information - make the news, cybersecurity rarely calls our attention to the serious threat posed by email phishing.

And yet over three billion spoofing emails arrive in people's mailboxes each day. About one in every 100 emails, however seemingly innocent, contains a phishing or spoofing attack. These fraudulent, phishing emails leave businesses and consumers vulnerable to hacking and identity theft.

It should go without saying that because email's mission-critical role makes it a popular target for fraudsters and cybercriminals, organizations should take more steps to strengthen it against attack. Email platforms' built-in security measures are rarely enough to protect them from social engineering attacks.

Email's weakest link? People.

Many cybercriminals choose email as their preferred method of attack because humans tend to make easy targets. They make mistakes and can be careless. They use personal instead of company email addresses for business communications. Some are easy to trick with spoofing emails impersonating their supervisor. While newer technologies to thwart attacks are always coming online, spammers and hackers also evolve their techniques to keep pace. Finally, business email platforms tend to lack adequate security - it becomes all too easy for those with malicious intent to find and exploit vulnerabilities.

The pandemic forced companies to pivot their workforces to an entirely virtual environment -  even as the pandemic ebbs, many employees will continue to work remotely either full- or part-time. But this approach to work opens up other cybersecurity vulnerabilities, especially if employees use their own devices to complete work.

Email threat landscape

Hackers employ a wide range of attack vectors when they're targeting email systems including:

  • Identity theft - Cybercriminals steal personal information - addresses, birthdates, names, passwords, social security numbers, etc. - to use for malicious purposes.
  • Phishing - Cybercriminals send deceptive emails - or send unsuspecting recipients to websites specifically created to "mine" personal information. Emails appearing authentic trick unwitting recipients into downloading attachments or clicking links designed to gather information.
  • Ransomware - Email has become a favorite delivery strategy for ransomware, which encrypts computer systems or files until the victim pays a ransom to the cybercriminal.
  • Spam - While most "bad" emails are unsolicited junk mail or spam, small- to medium-sized businesses (SMBs) struggle to manage unrequested (and unwelcome) emails containing malware attachments or malicious links.

Because a majority of these emails rely on impersonation - and recipients' low awareness of the potential threat they carry - domain-based message authentication, reporting and conformance (DMARC) enforcement offers the most effective protection against phishing and BEC attacks.

Shore up email defense with DMARC

The DMARC specification was first published in January 2012. Its goal? To prevent email abuse. DMARC includes a set of protocols to tell email receivers how to handle emails that have failed DMARC checks. The three DMARC policies include monitor (p=none), quarantine (p=quarantine) and reject (p=reject).

Email receivers will verify whether incoming messages include valid DKIM and/or SPF records aligned with the sending domain. Once verified as DMARC compliant (an authentic email) or DMARC failed (spam or phishing, for example), the system will route the message appropriately according to the set policy.

Increased federal enforcement measures

The US government has recognized the critical need to strengthen cybersecurity. Cyber threats have the potential to affect every aspect of individual people's lives, communities, and companies or businesses. These threats stem from internal and external sources. During the SolarWinds attack, which started as early as 2019 but wasn't discovered until late 2020, Russia's intelligence agency, S.V.R., targeted federal agencies, including the State Department, Department of Homeland Security, and parts of the Pentagon.

A statement released by the current administration at the start of Cybersecurity Awareness Month highlighted a renewed commitment to and focus on cyber threats. In addition to a May executive order issued for modernizing the country's cyber defenses, the administration seeks to:

  • Shore up critical infrastructure against cyberattacks.
  • Disrupt ransomware networks.
  • Establish and promote clear rules for all nations.
  • Hold accountable any who threaten the security.

Securing email against cyberattacks

But where does DMARC fit into this role? While the U.S. federal government may lag behind in many aspects of cybersecurity, 92% of federal email DMARC records are at enforcement. And according to our data, which we've tracked and published since 2017, over one million domains have published DMARC records. But of those domains, only 13.9% have DMARC enforcement policies in place. Overall average enforcement rates remain low:

  • 22% of top retailers.
  • 36% of large banks.
  • 30% of the Fortune 500.

In addition to spearheading Hosted DMARC in 2015, our company continues to be a leading voice for BIMI or Brand Indicators for Message Identification, a global standard designed to help marketers bring their brand into the inbox in exchange for following security best practices. BIMI leverages DMARC Enforcement (setting a domain's policy to reject or quarantine) to ensure logos can only appear on legitimate emails from their own domains. Supporting mailbox providers (MBPs) check the DMARC policy of the sending domain and verify its inclusion in the BIMI validation.

No one wants to fall victim to a data breach, ransomware or other cyber attack. Because email remains an indispensable communications tool for individuals and organizations within the public, private and government sectors, it remains a challenge to protect from constantly evolving threats.

A lack of robust built-in security on email platforms requires outside protection from cybercriminals. Companies should include DMARC as a key component of their brands' email security and deliverability strategies. It enables visibility, brand protection and security.



Alexander García-Tobar, CEO and co-founder

Alexander García-Tobar 

A serial entrepreneur and global executive, Alexander has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.

Published Monday, November 01, 2021 7:30 AM by David Marshall
Filed under:
Everything You Need to Know About Internet of Things (IoT) Testing : @VMblog - (Author's Link) - December 1, 2021 8:05 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2021>