Email – No longer set and forget.

Email borne threats have increased exponentially over the last decade. Our dependence on the humble email has fundamentally changed the way we do business.  The Radicati Group in their latest Email Statistics Report indicates that there are approximately 3.8 billion email users in 2018 that send close to 282 billion emails per day. From the outset of its introduction in the 1990’s, cyber criminals saw email as an exceptionally easy method of breaching an organization’s environment. Spam, spear phishing, and malware are delivered via email.

The importance of email to business also changed dramatically. In the early 2000’s, email was an important business tool, primarily used for internal communication. Back then, organizations were less dependent on email’s availability than they are today. Today, communication to external businesses and customers is equally as important for order placement, loyalty programs, surveys and many more uses.

Today’s business environment suggests that email can no longer be a set and forget system as it was in the past. My golden rules for the protection of your email channel are listed below.

1. Broad email stakeholders – External customers and other businesses are equally as important to internal employees – if not more !! The ICT team, marketing and the operations team must work together as email is and will be in the foreseeable future the main medium of exchange with all stakeholders. ​ 2. Identify and list authorized senders – SPF and DKIM, introduced between 2005-07 as simple email-validation tools, are an integral aspect of your domain’s DNS and are designed to detect fake emails. In fact, it is surprising at the lack of deployment of SPF and DKIM historically  but even more troubling are current trends of deployment of these mechanisms with simple configuration errors that actually make them unusable by the receiving email platforms. Implement SPF and DKIM records.     

3. Implement DMARC – Domain-based Message Authentication, Reporting & Conformance”. DMARC protects against email domain spoofing that is typically used against your employees in CEO email fraud, spear phishing and also against your customers with spam and phishing emails. Don’t believe that you need it ?

DMARC can be considered an umbrella mechanism, as it checks for alignment with SPF and DKIM. Similarly with SPF, deployment is initiated by creating a text record in your DNS. For those organizations without SPF records, DMARC would be an excellent starting point as it will identify ALL sources of your email domains, providing you an initial list for the SPF record. Additionally, DMARC enhances the protection offered by platforms such as Symantec’s Messagelabs, by identifying emails that SPF misses – refer to a previous blog post – The Fundamental Flaw in Email.

4. Test and Report – Identify correct operation of the SPF, DKIM and DMARC records. Review the authorized email senders and their volumes and also the identified threat from un-authorized users of your email domains. There are many organizations with SPF and DMARC records that are in error state due to misconfigurations. An excellent dashboard that identifies these issues aswell as displaying some information on the email volumes is dmarcian’s DMARC Manager.

5. Implement cloud based email secure gateway. Many organizations deploy cloud based email secure gateways that provide the initial email filtering before email enters an organizations environment. Most importantly these platforms should be DMARC compliant.

6. Initiate Security Awareness Training – training your employees to identify what is a real email versus a fake one, could save your organization from financial loss, or even an awkward public acknowledgement of a security breach. Building a human firewall is the last layer of defence against cyber criminals targeting your organization. Security Awareness Training will provide you with the highest return of your overall security spending.

Although this is by no means a comprehensive list, I would classify these points as the neglected aspects of any deployed security controls.

​by Con Lokos