Email Security in the cloud: Office365 and Google Workplace
Senior Cloud Security Consultant
Article published 27 April 2021
The importance of email in today’s world is undeniable as many of us still work daily from an inbox of tasks and communications with different teams, departments, clients, or partners. But if email use is straightforward, how straightforward is email security? And how do businesses address email security when using Cloud-based productivity tools such as Microsoft Office 365?
Cyber criminals are now taking a people centric approach to phishing attacks. How has Proofpoint seen this change and what are the main implications?
It’s interesting what is happening in the world now and the way that it has impacted a lot of the threats that organizations face. If you think about it, most organizations already have some form of email security. What IT security professionals have traditionally done is, if a customer has a mail server, a security product would be placed in front of it, i.e. an email gateway that sits in front of the email server.
With businesses making the shift away from on-premise servers to the cloud (with the rise of remote working due to the COVID-19 pandemic), users are now, more than ever using cloud platforms like Google Workplace; Office 365 or others. Generally, these platforms already have some form of email security following the traditional principle of a using a gateway in front of their email system, but interestingly, attackers, don’t necessarily work to that type of model.
What we have seen is attackers are now thinking about people rather than the servers. They are no longer thinking about attacking an email server, they are thinking about attacking a target, looking them up on LinkedIn and exploring them that way.
If attackers are now looking at a different way to target business and current email server solutions only offer standard security options, how can busines stay secure?
Best way to answer is to first characterize the problem and identify the challenges people are facing. Many organizations have likely made the switch to Google Workplace or Office 365 and as said before, these would already include some form of email security to get rid of spam and virus. But what we, at Proofpoint, have seen is that organizations still run into challenges in defending their people because they have no visibility into the threats that their employees are being targeted with.
In our “2021 ‘State of the Phish’ report” we’ve seen that more than 60 million simulated phishing attacks were sent to Proofpoint customers over a one-year period. These malicious messages were either in the email itself, launched through Office 365 or similar platforms, or contained a malicious URL that was hosted within these platforms.
The same way that organizations have shifted to the cloud, so did attackers, and they are now leveraging these platforms to improve the effectiveness of their attacks. It then becomes important to look at security from the outside-in, asking how organizations can better protect their people and what organizations would need to do on top of the standard security offered by these platforms.
According to a recent Gartner report, only 10% of security spending is being spent on email security and 96% of security breaches start with attacks targeting people via email. Do you think security spending on email should be increased based on this data?
It’s certainly disproportionate. However, it is not always true that by increasing spend organizations will increase protection, in some cases they may decrease spend and still ensure protection. It is dependent on what organizations are looking for and it actually brings us to the initial point where: if organizations can’t see the threats how do they know what to look for in terms of security spend and what best technology to use to reduce it. If organizations have no metrics how can they assess efficacy?
Also, speaking to recent statistics mentioned there is a certain type of email threat has become very prevalent over the last years which is business email compromise leading into an increasing number of financial losses. This highlights the need for businesses to ensure their organization’s emails are secured across the entire organization.
One other big part to email security is ensuring that employees are aware of malicious emails and the threats they may be exposed to. What are your thoughts on employee training?
A lot of organizations that we speak to in terms of email security awareness mention a yearly training program. For some organizations, these yearly refresher training programs might be the full extent of their email security knowledge which is quite frightening. But equally we’ve seen people investing in other tools like phishing simulation which is a great way to keep businesses and employees ‘on their toes’.
The biggest challenges we see with this is on how to make email security awareness more effective for organizations. What we found is to take the visibility awareness our platform allows us to demonstrate the types of people and threats organizations are exposed to every day. We can even use this information to develop risk scores and apply these in tailored training routines, for example if someone in finance is getting targeted with supplier invoicing fraud, we can focus our training in that situation. This to say that yes, security awareness training is key in reducing the risk, but linked to the actual threat.
There are some steps that organizations can take to improve their current email security. What would you suggest are the key steps organizations should consider today?
Attackers are always going to target employee’s accounts, so the first step is to ensure accounts are secured. Multi-Factor Authentication (MFA) or similar tactics are a great way to secure your account to avoid attacker’s access. Also, disabling legacy protocols, like IMAP on Office 365, if users still have IMAP on it won’t support multi-factor becoming a great target for attackers to do credentials brute force attacks. This then leads you to the natural extension of email security which is being able to monitor your accounts for fraudulent activities, looking at who is logging in to that account and from where and assessing if that looks suspicious.
Where do you see the future of email and email security?
I feel email itself will not go away. Yes, we may use other channels, such as Teams, Slack or others, and clearly there is a space for security in those channels as well, but email isn’t going away anytime soon and the types of attacks on email are constantly evolving.
At Proofpoint, we have placed a lot of efforts to be ahead of these new attacks and gain intelligence that feeds into our strategies. Being able to get visibility is key to prevent and manage attacks. Also, we are now almost to a point where email security isn’t just email it is now threat security which ties in cloud security with Office 365, Google Workplace, and other platforms. The shift has focused from protecting email to protecting people.
Proofpoint is a BSI trusted technology partner focusing on advanced email security protecting organizations from today’s most sophisticated attacks. Find out more about Proofpoint capabilities here.
About the authors:
Senior Cloud Security Consultant for Data Management Security Technology at BSI
Harshad is a highly experienced cloud security consultant with a demonstrable track record in cloud and cyber security consulting, end user awareness and providing security expertise on cloud based development and deployment in various sectors. Harshad has an MBA in Cloud Computing and holds CISSP®, CCSK®, PRINCE2® and multiple other leading vendor certifications.
EMEA Cybersecurity Strategist at Proofpoint
Matt Cooke is a Cybersecurity Strategist at Proofpoint, where he drives product marketing strategy across the EMEA region. He provides expertise on key regional cybersecurity strategies such as people-centric security, security awareness, risk management and insider threats.
Matt has 20+ years of experience in hands-on technical and strategic marketing roles within IT teams and security vendors. Prior to joining Proofpoint, he was Director of Product Marketing at Sophos, following a senior product marketing role at Symantec, as well as additional product-focused roles at IT organisations.
Matt holds a Certified Information Systems Security Professional (CISSP) certification and has a passion for making cybersecurity accessible and relevant to everyone.