Seriously?! Can You Not Do That? Chapter V - Careless/Misuse of Corporate Email

Seriously_! Can you not do that_ Chapter V.jpg

By Sean Martin, CISSP

Chapter V | Careless/Misuse Of Corporate Email

Every company, large and small, uses e-mail to communicate. E-mail connects employees with each other, business units to their third-party partners and the supply chain, and sales, marketing and customer service teams to their prospects and customers. It’s so pervasive, one would think that there is little to no question for how to safely use this communication medium, right? Not so much. Why? Because e-mail is just one type of data that needs to be protected.

In the simplest terms, there are two different types of data: structured (such as databases) and unstructured (such as proposals, business plans, and … you guessed it, e-mail).

According to GigaTrust, structured data is far easier to secure than unstructured data, which is more susceptible to vulnerabilities and can lead to data breaches. Negligent practices surrounding unstructured data can put everything from business plans, financial information, and contracts at risk – oftentimes via e-mail, which is used to share this information with the people that need to read it. And guess what? This challenge isn’t a secret.

“Cybercriminals know that businesses rely heavily on e-mail to communicate, share documents, and conduct business both internally and externally,” says Matthew Gardiner, cybersecurity strategist at Mimecast. “Therefore, it’s no surprise that e-mail continues to be a significant, ongoing vulnerability for businesses.”

When employees are knowingly or unknowingly careless about their e-mail security, they put corporate data at risk in a number of ways.

“Since unstructured data like e-mail is often created by individual employees, these employees are responsible for who to share it with and where to store it,” says Harry Piccariello, Chief Marketing Officer at GigaTrust. “As employees create more and more e-mails (containing documents and other attachments) and they and/or the company fails to track or safeguard them, this becomes a liability and the oversight in managing unstructured data becomes costly. Furthermore, the organization could face legal exposure if data is lost.”

“Cybercriminals can trick employees into sending their own personal data, or in the case of HR and finance departments, employees’ personal data such as birthdays, social security numbers and home addresses,” adds Gardiner. “If hit with ransomware, critical data could be locked up or stolen for ransom. In this case, organizations need to either pay the ransom and hope to get their data back or say goodbye to their data – unless they have proper backup and recovery systems in place.”

Keep in mind, however, that e-mail is often used for far more than communicating with other employees and partners.

“In addition to its traditional use for communications, many employees manage their daily tasks out of their inboxes and are also pressed for time and thus are not as careful as they need to be,” says Gardiner. “But this carelessness can lead to significant security consequences effectively turning employees into ‘insider threats’,” says Gardiner.

What makes this especially troubling is that, according to Mimecast, more than 90 percent of attacks start with e-mail, giving cybercriminals a variety of methods with which they can infiltrate an organization using ransomware and other forms of malware.

“These attacks usually succeed in part by tricking employees into believing the e-mail is from a person or business they are familiar with,” says Gardiner. “All employees, regardless of position or department, must be vigilant about who they open e-mails from, what links they click and what requests for information or action that they respond to.”

In fact, according to a recent report from IRONSCALES, 95 percent of email phishing attacks were highly-targeted campaigns, with the majority impersonating internal communications teams or individuals. Further, according the same report, approximately 77 percent of attacks targeted 10 mailboxes or less, allowing attackers to stay under the radar, and deliver more tailored, personalized phishing emails.

The risk isn’t limited to business e-mails, suggests endpoint security company Avecto, who recommend that employees avoid using work e-mail accounts for personal purposes such as shopping online. Once a transaction is complete or the employee has signed up to a mailing list, the fun begins.

“These behaviors increases the risk of falling victim to phishing e-mails designed to look like legitimate account activity from online retailers,” says Brian Hanrahan, Product Manager at Avecto. “These e-mails can be very convincing, and prey on the likelihood that you’ve bought something from popular retailers such as Amazon and others to trick you into visiting a website designed to compromise your computer with malware.”

And it’s not just the risk of data loss or theft; an e-mail compromise can have an indirect impact on the business’ operations.

E-mail-based attacks also reduce employee productivity and can cause significant financial damage. How can organizations get a handle on this risk? There are two key ways to deal with the employees creating the data and the data itself. Starting with the data, Gigatrust suggests investing in safeguards for unstructured data.

“Organizations need to put real-time policies and compliance measures in place and encourage employees to track sensitive data and to keep records, including of those who have access to their documents and where it is being stored,” says Piccariello. “Selecting an endpoint security provider is another way organizations can make sure employees are safely sharing documents.”

Switching over to employees’ use of e-mail, Mimecast suggests that having more aware and careful employees is important.

“In order to combat insider threats, organizations must educate employees on the risks lurking in their inboxes as well as implement technical security controls to help improve the organization’s defenses,” says Gardiner. “When employees know how to avoid e-mail security threats, they help to improve the organization’s ‘human firewall’.”

According to Avecto, employees should be taught to not open links or attachments in e-mails sent to their work account from online retailers and other external sources not related to their work.

“Instead, employees should open up their web browser and go directly to the site’s secure address which will start in HTTPS such as HTTPS://,” adds Hanrahan. “Any discount, offer or problem that is worth the employee’s attention can be addressed directly on the destination website without clicking any link in the e-mail. This eliminates the guessing game of whether the e-mail is legitimate or fraudulent. Of course, reusing passwords across multiple sites only exacerbates this threat further.”

“Having proper backup and recovery systems and processes in place can also help to prevent a major loss of productivity in the case of ransomware or another form of destructive attack,” adds Gardiner.

However, even the solutions traditionally used for email protection are no longer enough to identify modern phishing attacks. According to IRONSCALES’ report, for every 5 brand spoofed attacks identified by spam filters, approximately 20 spear-phishing attacks bypassed the safeguard and went undetected.

“To defeat email phishing with any regularity requires no gaps in defenses at any stage,” said Eyal Benishti, founder and CEO of IRONSCALES. “Wherever and whenever employee awareness and training falls short, another line of defense must already be present.”

Benishti also suggests that machine learning can supplement human intelligence by learning every employee’s mailbox individually, collecting statistics about the sender, not just based on the volume of emails, but also on the actual correspondent and attachment/link.

It’s clear that to get a handle on this risk, IT professionals must view unstructured data such as e-mail as a top priority. Implementation of real-time policies, compliance measures, an endpoint security provider, and employee awareness and best practices will help prevent an e-mail compromise and thus significant financial damage on a business.

Employee misuse of work e-mail is not just a mere annoyance – they may actually be giving attackers direct access to corporate assets by exposing resources externally.

Return to the series overview to get notified of the next installment in this series…via—you guessed it—e-mail.

Interested in more topics from this series?