For email, the zero-trust model means not allowing delivery of messages unless they originate from a sender who can be authenticated. Alexander GarcÃa-Tobar, CEO at Valimail, discusses how by adding a zero-trust layer to existing email security, you don’t have to worry about finding, analyzing, or scoring the infinite variety of possible malicious senders.
Over 4 billion emails fly through cyberspace each month. In the U.S. alone, more than 90% of the population polled in recent survey access and use email. The world has over 5 billion active email accounts. That’s one out of two people who have and use email regularly, with people owning an average of 1.75 email accounts.Â
Email use shows no sign of decreasing, either. The social media giants once thought to bring the “death of email†have continued expanding its use by sending billions of emails per day. Ecommerce and the security chain also use email to confirm purchases, facilitate password resets and send automated responses to questions.Â
While its use has continued shrinking in C2C because of increased social media and texting, email’s use continues to grow in B2B and B2C. It has moved from a mere communications platform to become a more vital part of e-commerce, with marketing, receipts, reminders, password resets, and more. This extension makes sense because email’s the only widespread neutral communications platform with no one owning email. It stretches across organizations, countries, and cultures.
This explosion of email and neutrality also is a curse, it invites many opportunities for fraud, primarily in the form of phishing. Phishing attacks have grown, evolved and matured over time, becoming more intelligent and more insidious. Phishing is 45 times more dangerous than data exposure, and Gmail blocks more than 100 million phishing emails every day.Â
We need to do more. By adding a zero-trust layer to existing email security, we can vastly expand our anti-phishing capabilities. Implementing a zero-trust policy for email security:
- Protects companies both inside and outside their networks
- Stops brand abuse
- Improves compliance
- Increases deliverability
We need it now.Â
Phishing by the Numbers
Is phishing really that bad? Yes. And the problem’s size and scope are growing. Consider these statistics:
- 90%Opens a new window of cyberattacks start with a phishing campaign
- 62.4%Opens a new window of organizations were affected by ransomware in 2020
- 6 billionOpens a new window phishing attacks are anticipated in 2022
- 97%Opens a new window of people are unable to identify phishing scams accurately
- 30%Opens a new window of phishing messages are opened
Learn More: Why Cybersecurity’s Latest Buzzword, Zero Trust Needs a Simple Approach in the Hybrid World
A New Approach To Defending Against Phishing
Today’s lack of zero-trust in email allows criminals to send messages impersonating someone else. It’s the email’s biggest weakness. And in fact, 89% of all phishing attacks share a common characteristic and goal, impersonating someone else to gain access to sensitive information or technology.
Unfortunately, malicious actors have also enhanced their attack strategies to avoid detection by email content-scanning alarms. With their lack of apparent, identifiable harmful content, these newer phishing scams slip past current email defenses by presenting what appears as harmless content designed to establish trust with the recipients. Cybercriminals exploit the trust and manipulate users into acting against their best interests. Examples include: requests for W2s, password resets, offers, socially engineered attacks, the list goes on.Â
Most of today’s anti-phishing solutions rely on reading email content and recognizing specific patterns. These solutions scan emails for content, raising red flags with attachments, keywords, links or phrases, and leverage machine learning (ML) to identify and block suspicious messages.
Phishers, however, use technology to automate attacks, modifying messages just enough to outsmart the filters. They set up attacks with zero malicious code or send fairly routine requests, “I’m the CFO, please send me your W2. I’m your email admin; please reset your password. I’m the IRS; you must respond to this.â€Â Each of these attacks would raise zero red flags if the sender weren’t impersonated. This never-ending phishing process drains financial and other resources, and it’s nearly impossible to defend against with 100% success.Â
Email security issues will only become more challenging to manage, and given the lack of identifiable malicious code in many attacks, phishing emails will remain challenging to stop. It’s time for a different approach, one redefining and reinforcing legitimate communication behavior instead of chasing an infinite number of evolving patterns defining malicious intent.
Risk managers have pivoted to focus on encryption, zero-trust, and domain-based message authentication, reporting and conformance (DMARC). These are the standards shaping email’s future.
Learn More: Beyond the Zero Trust Hype: Is VPN Responsible for the Big Switch?
A Zero-Trust Approach to Email Security
While both valuable and necessary, network security (including encryption and MFA) cannot adequately protect sensitive data and counteract internal threats, it needs a little help.
Enter zero-trust. This apt-named security strategy is exactly what it sounds like a policy designed to maintain zero-trust toward all transactions, providers and users. It’s more than a specific tool or security tech. Instead, it’s a strategy combined with process and technology companies can use to build a strong security foundation and culture within their organization.
Operating under the idea of “only good stuff gets through vs. looking for the bad stuff,†zero-trust addresses a significant security gap within the email ecosystem because it requires only authenticated sender’s emails to get through. Google, Y!, and AOL termed the phrase, “No auth, no entry†for email. Zero-trust authentication policies and approaches like the DMARC standard provide the best justification for companies to implement them. Â
Learn More: 4 Tips To Get Buy-in From Your IT Team for Zero Trust
Steps To Mitigate Risks by Using Zero-Trust Policies
The zero-trust model blocks delivery of any message not originating from authenticated senders granted explicit permission to deliver messages to a specific inbox when it comes to email.Â
Security professionals posit that artificial intelligence (AI) and ML offer an effective method to identify trends in social engineering and malicious content. They don’t apply sender identity authentication because their systems don’t know who or which services have permission to send as the domain owner. Why? Because every domain owner outsources email communications to 3rd party services for HR, payroll, marketing and other business operations. Applying a zero-trust approach to approved senders protects the domain both inside and outside the company. The receiver only delivers an email that authenticates the sender.Â
Companies with a zero-trust approach directly address 89% of all phishing attacks and protect their employees and clients by focusing on sender authentication. They also set themselves up for the next step in authentication first, the company logo in Gmail, Y!, and AOL indicating consumers trust your email. And second, the ability to run applets inside of email itself like booking your flight inside of an email.Â
The email industry’s “No-Auth/No-Entry†policy goes live in 2025, stressing the importance that now is the time to address email authentication. With cybercriminals automating phishing, the zero-trust approach provides the strongest foundation upon which to layer content filtering, end-user training and other security measures to protect organizations and individuals.
Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.