With a sizable chunk of the workforce shifting to remote work in 2020, cloud services usage has spiked, a trend that will continue in 2021. So is the investment in IT cybersecurity overall, and we’ve seen a large uptick in Cloud Access Security Brokers (CASBs), secure access cloud, DLP, and endpoint security investment. Despite these positive signs, a theme I still see repeatedly is the near universal lack of focus on cloud email security.
Organizations often fall short with email hygiene in the same few areas: over-reliance on unspecialized platforms, lack of investment – in both time and budget, and over-prioritizing the end-user experience.
The fact is the majority of threats to organizations still arrive by email. Many of the high profile attacks and breaches of the last few years started with spear phishing or a user who was compromised via email attack (e.g., the infamous 2016 US election campaign attacks). Compromising end users and their credentials in this way is low tech and low skill for an attacker, while giving the benefits of credentialed access and persistence within an organization’s network – bypassing many controls put in place for other more advanced techniques. Worse, these emails are frequently singularly crafted in nature. It only takes one email sneak peek in the sea of messages to lead to these devastating outcomes.
Consider for a moment the popular analogy of a medieval castle or fortress often used to represent the layered defenses of an organization. A company may have very robust defense-in-depth on their network, on their endpoint, or on their infrastructure, but however good these internal controls and defenses may be, if the drawbridge isn’t up and the gates are open, an organization is increasing their reliance on those same controls and setting up for potential singular points of failure.
How can the administrator or IT professional avoid problematic configurations or postures that, can keep the drawbridge stuck in down position?
I spend a lot of time working with organizations to improve their email hygiene. It usually boils down to the same few things: overreliance on unspecialized platforms, lack of investment, and overprioritizing end-user experience.
With the accelerated move to cloud services to accommodate remote work, many companies have not updated their email security posture to match, especially hosted email. Instead, they rely on the cloud email host’s inbuilt security technology. While the popular cloud email host platforms conduct some mail filtering, they are by no means specialized or hardened from a security perspective, especially out of the box. I have lost count of the number of organizations that have dropped their on-premise email hygiene services when moving to the cloud, only to realize later that they do need more robust protection. More often, that realization happens after a high-profile security incident has occurred. While moving to the cloud for your email solution undoubtedly brings savings and efficiencies, it is important to maintain your security posture and capabilities. A castle with an open front gate isn’t very well protected, however strong its walls may be.
Regarding the lack of investment, I don’t just mean in the purely financial sense, although that is certainly a component of it. It’s the frequent lack of investment in time, whether it’s the focus on day-to- day tactical concerns, or the diligence required for broader email security strategy.
Despite its pervasiveness for business, email and its associated security controls don’t seem to get the same level of care and feeding that other security controls or technologies get. As a result, protection suffers. Does your organization have a documented change control procedure for exceptions to email filtering? How often are those entries reviewed? Can you say how many emails are captured as being malicious in a given week? Who are the valid third parties permitted to send on behalf of your organization? These are the questions that the security team should be asking to ensure they are investing in appropriate care and feeding of their email environment. Email may not have the same exciting appeal as other areas, but benign neglect of email services is exceedingly dangerous.
Far more than any other reason, the thread that ties many of these problem configurations together is the over-prioritization of the end user experience. Despite email security often being overlooked at budget time, it’s the most visible service to end users and non-IT staff. This, combined with its mission-critical status to most organizations, leads to much trepidation while making any changes or adding controls that could adversely impact that end-user experience. For instance, I often see requests or orders from the business or non-IT units to make filtering exceptions for a sender or organization, “just in case there are any problems.” Note that it is not in response to an actual issue, but in case there is an issue. Without pushback from the security, these one-off entries that bypass controls can quickly turn to a culture with expectations of bypassing controls. This frequently backfires when the wrong email is let through or leads to a breach, and the security team winds up being blamed. Other common symptoms of this problem are resistance to multi-factor authentication or implementing controls on cloud web-access to email for no legitimate reason – merely because the necessary controls may irritate end-users. Concerned administrators should push back on this, of course.
Without pushback from Security, one-off filtering exceptions that bypass controls can quickly turn into a culture with expectations of bypassing controls. This often backfires when the wrong email is let through or leads to a breach
While by no means an exhaustive list for documenting problems or concerns, the examples above remain the most common pitfalls in administering and securing your email platform. These apply regardless of whether the cloud email service is on-premises, cloud-based or in a hybrid environment. I hope that more organizations begin to see email security as more than a necessary evil or a cost of doing business. Instead, it should be seen for what it really is, the first and best line of defense.
Ensure that your cloud email environment receives appropriate ‘care and feeding’, both as time and financial investment, to truly understand and optimize your email security posture
- Cloud email services alone generally do not provide enough security filtering, especially out of the box. Consider using a dedicated cybersecurity solution for your email hygiene
- Don’t let end-user experience override legitimate security concerns or protections, or one-off bypasses turn your fortress walls into Swiss cheese.
About Enterprise Studio
Enterprise Studio by HCLTech helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.
Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.
Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.