Last year, spam turned 40.
Last year, spam turned 40. Yes, it was clear back in 1978 that Gary Thuerk, a marketing manager with Digital Equipment Corporation, sent the first spam message to 393 people on the original ARPANET to market a new product. It’ll come as no surprise that this message was about as well-received as much of today’s spam. Thuerk was given a stiff reprimand and told not to do it again.
If only it were that simple today. Forty years on, spam has grown exponentially in prevalence, inundating our inboxes with unwanted offers for pharmaceuticals, diet products, and job opportunities. Not only that, but it’s been joined by its far more dangerous cousins, phishing and malware. Phishing was first conceived more than 30 years ago, and malware also has a decades-long history of email distribution.
Today, the sad fact is a lot of emails are unwanted spam and worse. The volume is staggering—85 percent of all email in April 2019 was spam, according to Talos Intelligence. The volume of unwanted email is on the rise too; spam hit a 15-month high in April.
You could argue that email is structured in an almost ideal format for scammers. Email forces the user to read and make assessments about what they receive and then make decisions as to what they open or click as a result. Just the right amount of social engineering, exploiting the individual’s good nature, can push the user to action.
It’s this social engineering that not only makes it an enticing delivery vector, but also so challenging to systematically defend. Rarely, if ever, does an email-borne attack bypass the user. While things like URLs leading to compromised or malicious web sites utilizing exploit kits are common, they still rely on coercing the user into clicking on a link in an email first.
No wonder email is one of the primary challenges that keep CISOs up at night. In our most recent CISO Benchmark Study, we learned that 56 percent of CISOs surveyed felt that defending against user behaviors, such as clicking a malicious link in an email, is very or extremely challenging. This ranks higher than any other security concern surveyed—higher than data in the public cloud, and higher than mobile device use.
It’s also the frequency of such attack attempts that draw the attention of CISOs. For instance, 42 percent of CISOs surveyed dealt with a security incident that manifested as the result of a malicious spam email being opened within their organization. Thirty-six percent dealt with a similar incident as the result of details stolen from a phishing attack. According to our CISO Benchmark data, CISOs consider email threats to be the number one security risk to their organizations.
In a separate study, commissioned by Cisco and carried out by ESG in 2018, 70 percent of respondents reported that protecting against email threats is becoming more difficult. In terms of the consequences of email-borne attacks, 75 percent of respondents said they experienced significant operational impacts and 47 percent reported significant financial impacts.
How do you secure something that’s both a necessity and a risk at the same time? For many organizations, the move to the cloud has been viewed as a solution. However, the cloud is no silver bullet against the dangers of email. In more cases than not, it’s simply kicking the can down the road. The security issues don’t go away, but rather persist. There are several ways you can minimize the impact email threats have overall. In this paper, we’ll discuss the current threat landscape, providing an overview of the most common email attack types today. We’ll break down how they play out, their goals, and the infrastructure behind them. We’ll discuss what you can do to keep your business safe, as well as how to identify email-borne threats when your users encounter them.
Milind Samant, Chief Security Officer, SUNY Old Westbury YouTube link to case study
