Risk Visibility EMAIL SECURITY:
The Good, The Bad and the Ugly
Shaun McKay, Consulting CIO
With phishing attempts spiralling by a reported 600% and with attackers successfully destroying reputations of businesses large and small by breaking into accounts, stealing data and cash, you could be forgiven for thinking we were back in the Wild West.

According to Internet records, the first recorded mention of the term “phishing” occurred in a Usenet newsgroup called AOHell and was recorded on January 2, 1996.


The word was coined by hackers stealing America Online accounts and passwords. By analogy with the sport of angling, these Internet scammers were using e-mail lures, setting out hooks to "fish" for passwords and financial data from the "sea" of Internet users.

Since then and 25 years on in cyber years, you’d need to have been on another planet if you’d not heard the term and have some level of protection in place for your organisation. 

The Good

We good guys in cybersecurity teams know a thing or two about phishing. Most have deployed solutions that improve their security, educate their staff, save IT admin time and reduce the risk of data theft.

Hackers have moved on from the gunslingers of old but, scarily, the results can be just as devastating. Pulling off the ideal hack can take months, if not years, of gathering data. Your own business may not even be the target yet, it may be merely facilitating someone else’s hack because it’s a weak link.

Just as hackers have moved on, so has technology. In the life of a busy cybersecurity team with so many projects on the go, it’s easy to put a tick in the “renew” box without checking to see if you’re getting the best security for your organisation – let alone the most competitive rate. In a highly competitive market, what seemed like a great deal 3 years ago, could be very light on the right feature set today.

Social engineering is big business so hackers look for weaknesses in markets. This has been highlighted especially over the past year during the pandemic with new breaches in a wide range of sectors happening with increasing frequency.

Finding an email security provider that understands the needs of the sector you’re in is extremely important. One size doesn’t fit all and finding a supplier with the right credentials and industry knowledge who can tailor their solution to meet the needs of the business - at a compelling price point - is the key.

The Bad WATCH THE ON-DEMAND WEBINAR

The Bad

Yes, of course, you should be worried about hackers impersonating huge organisations such as World Health Organisation and the HMRC, but it’s just as likely they’ll take on the persona of a Chief Executive, Head of Department, or someone you deal with regularly such as a supplier. And they’re unlikely to present themselves in cowboy boots and Stetson, so appearance isn’t everything.

Attacks can take many forms and continually become more diverse. The aim remains the same – it’s always to steal credentials by posing as an authorised individual. Now they go even further and use combinations of email, phone, text messages, where cybercriminals will go through the trouble of learning a little about their targets before reaching out.

This is why spear phishing has turned out to be lucrative for those who carry it out. These tailored attacks require more individualised web pages than the broad-brush attacks that preceded them, further fuelling the massive rise in successful attacks.

Shortcodes and HTTPS also make it easier to land a successful phishing attack, with shortcodes obscuring destination URLs, one of the recommended ways to check if a link is legit. And HTTPS encryption protocols make it easier to hide malicious content on benign domains, which may prompt a site visitor to let their guard down.

Any ‘double-take before clicking’ that savvy users started to do is becoming more impossible to spot.

The Ugly WATCH THE ON-DEMAND WEBINAR

The Ugly (and very questionable quality of some email security solutions)

Not all email security solutions are created equal and sometimes all isn’t what it seems - even with some of the biggest brand solutions. I won’t go into the high profile breaches that have occurred this year alone – they are well documented for anyone wishing to do their research.

Getting the balance right between features and cost is even more important when security teams are faced with extra challenges faced following the exodus to home-working. If an email solution is feature-rich it can be cost-prohibitive. Businesses then make stark choices which leave them exposed.

The Showdown WATCH THE ON-DEMAND WEBINAR
The Showdown

You can have it all and every good movie loves to keep its audience guessing until the very end. The ‘Mexican Standoff near the close of TGTB&TU being no different. There’s a sense of suspense around the spiralling numbers of attacks vs the cost of doing everything businesses can combat a worsening situation. The emphasis this year more than any other should be about being able to do more for less.

Do more for less

The key thing here is to note the majority of email security solutions on the market have a modular licensing system that charge for each feature separately (Phishing, URL scanning, BEC, AV etc). This all starts to mount up when you realise you need encryption and archiving too.

The market is changing all the time and my advice would be to review any security requirements regularly and be ready to make the switch if there’s a better deal way before the renewal becomes due. Going with existing suppliers is the easy option when faced with staff constraints, but you could be missing out on better features on cost savings.

Shaun McKay, Consulting CIO
During my time at Everyman Cinemas, we went through a robust due diligence process. At the time, Libraesva weren’t the most obvious choice and not the biggest brand. However, after rigorous testing, they outperformed the hands of their rivals and offered significant cost savings (we achieved the 30-50% saving they claimed we would against other solutions)

Download our ‘Email Security’ infographic

With the risks increasing, download this simple to use infographic that will help your team understand more about those risks and how to avoid them.

Download the Infographic

Watch the Video

Join Shaun McKay, a CIO with a breadth of experience across the technology sector discussing his email security experiences.

ON-DEMAND WEBINAR: The Good, The Bad and The Ugly of eMail Security, with Shaun McKay

There’s a lot of talk about the challenges of email security and how best to address them. Our aim is to share our experiences across a number of key sectors through your eyes.

Shaun McKay, a CIO with a breadth of experience across the technology sector, will talk about his email security experiences, referencing companies like Everyman Cinemas, South Eastern Railways, Trespass, Colleg Gwent and a host of others. He’s seen the good, bad and the ugly, so he’s well placed to give an insight into how best to avoid the ugly and keep the bad out.

In our session, Shaun will:

  • Explain how some of these companies selected the right solution for them
  • Explore how to prioritise security challenges when selecting an email security solution
  • Discuss trends, innovations and peer projections as to the changes we can expect, or are already experiencing, and what that means for IT professionals in the sector

We hope you will join our event. Spaces are usually in high demand so please make sure you register early.

Shaun McKay, Consulting CIO

Shaun McKay on Transport

"Attacks on critical infrastructure disrupt the country and public services causing reputational damage to Governments and their Departments"

Challenges faced

High-value assets

  • Customer Data
  • Billing information
  • Banking details

Regulation

  • Obligations beyond email (GDPR, Cyber essentials & PCI DSS)
  • Heavily regulated by ICO and DoT
  • Significant penalties for non-compliance & Data breaches

Day to Day

  • Large, non-technical user base
  • Email is #1 preferred contact method
  • A high degree of complexity with a number of different technologies in the mail flow
Shaun McKay on Education

"Identified as a significant target area for cybercriminals as it’s a soft target recognised for paying demands to avoid reputational damage"

Challenges faced

Data

  • Highly sensitive personal data
  • Significant public responsibility for security and a PR risk when it goes wrong
  • Growing dependency on online data

Diverse users

  • Nature and level of sophistication enhances the risk of user-based breaches

Technical limitations and dependencies

  • Budgetary limitations
  • Adoption of MVP solutions (eg Microsoft 365)
  • Limited resource
  • Obligations beyond email security platforms (archiving and encryption)
Shaun McKay on Public Sector

"National and local government face disruption when attacks occur on critical infrastructure as they have the potential to disrupt the whole country and its public services"

Challenges faced

Data

  • Highly sensitive personal data
  • Significant public responsibility for security and a PR risk when it goes wrong
  • Significant regulatory and compliance obligations

Diverse user base

  • Work with external organisations where security not as robust

Technical limitations and dependencies

  • Budgetary limitations
  • Adoption of MVP solutions (eg Microsoft 365)
  • Limited resource
  • Nationally defined frameworks
  • Obligations beyond email security platforms (archiving, encryption)
Related Articles
1. The human factors of phishing attacks
Read more
2. 4 steps to safer emails
Read more
3. Take the Renewal Challenge
Read more
4. Change Without Notice
Read more

We're a community where IT security buyers can engage on their own terms.

We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.

Other articles in this category
Email Security
+
The human factors of phishing attacks

The dangers of complacency

Thursday, August 06, 2020
+
Take the Renewal Challenge

(in fact, pretty much don’t auto-renew anything in life!)

Tuesday, August 18, 2020
+
Change Without Notice

Things to consider when an email security vendor is acquired by a bigger beast

Wednesday, September 02, 2020
+
Everyone's a Winner

myredfort looks at email security for all with Libraesva

Monday, September 14, 2020
+
You Clicked What??!

Email Security: Removing the guesswork

Wednesday, September 23, 2020
+
The Best Email Security Money Can Buy

Email Security for all with LibraESVA

Friday, December 11, 2020
+
Partnering with the Best

Libraesva email security solution wins top 2 awards

Thursday, January 14, 2021
+
Vendor Spotlight-Libraesva

Email Security, Archiving & Encryption

Tuesday, April 20, 2021
Interested in what you see? Get in touch, and let's start a conversation Get in touch