What MSPs need to know about email security

Following best practices can help you protect your clients’ emails in an evolving threat environment.

Chris Crellin, senior director of product management, Barracuda MSP

Email remains a key entry point for the bulk of cyber-attacks—some estimates indicate that as much as 91 percent of attacks are initiated via email. Email-based attacks have evolved from malware attachments and bogus links to much more sophisticated schemes that leverage social engineering, impersonation and other tactics. This makes them much more difficult to detect and prevent using traditional email security solutions.

Nishant Taneja, Senior Director, Product Marketing at Barracuda, recently sat down with the podcast The Holtz Story to discuss the evolution of threats and risk in email and how to protect clients from these attacks.

Email attacks are much more complex than in the past. Barracuda has identified 13 different email threats, and the average organization is targeted by more than 700 social engineering attacks each year. This is happening against a backdrop of increased email usage (the number of daily email messages is expected to reach 362 billion by 2024) and a growing reliance on workplace messaging systems. That massive volume is part of what makes email such an attractive target for criminals.

Social engineering has emerged as a critical component of these attacks. This has been fueled by executives’ and employees’ increased use of social media. By spending a few hours researching specific team members on LinkedIn, Facebook, Instagram, and other platforms, criminals can build a fairly accurate profile of key employees. Armed with that info, they can then use that information to craft tailored emails that can easily fool unwary targets. These emails do not carry links or payloads; they are meant to get users to take specific actions, including sharing account information, transferring funds, or releasing sensitive company data.

The human element of this security threat is the biggest challenge to properly addressing it; technology can only go so far. In the podcast discussion, Taneja noted that most employees are not trained to spot a potential attack, and in fact, they have been “trained” through constant use of email to inherently trust these messages by default. Because of this, the exposure risk is high, as email and messaging accounts provide access to other business applications. Furthermore, once they are compromised, attackers can use stolen credentials to do a lot of damage.

Companies have been trying to deploy training and other solutions, such as attack simulations. Taneja noted that more than 60 percent of surveyed companies use security training programs. However, these programs must be prioritized and remain current and relevant; it isn’t a one-and-done scenario. Training must be an ongoing priority.

Email Security Best Practices

Taneja also discussed several best practices that can help MSPs protect client email systems from ransomware and other types of attacks.

Focus on Training: While employee security awareness training can be managed manually, a security awareness software and services package is a much more effective approach. These solutions offer attack simulations that can help companies identify training opportunities and even help them target specific employees that may need additional help in spotting phishing emails. In addition, these solutions are supplemented with professional services that can help implement and manage the program. This is especially helpful for SMBs that don’t have internal IT resources to spare for these activities.

Assess the Threat Landscape: Not every company is targeted by the same types of attacks. Using an assessment tool to conduct an email threat scan can give MSPs and their clients a better view of what kinds of threats are getting through the firewall and which users respond to them. Using this data, MSPs can improve the performance of the attack simulation tool by making sure they’re simulating the most common types of attacks and targeting the training so that employees can be more suspicious of those types of emails. The more targeted the approach, the more effective the security awareness program will be.

Leverage Artificial Intelligence: Because social engineering attacks easily slip through traditional defenses, new technology is required to help augment employee training. Email security solutions that leverage artificial intelligence and machine learning, like Barracuda Sentinel, monitor email for patterns in everyday usage and then use that information to identify anomalies in potential phishing emails. This type of automation is critical, given the high volume of emails and the complexity of threats. And the longer these AI-based solutions are in place, the more reliable and accurate they become.

With email and messaging apps becoming even more critical for businesses, email protection should be a top priority for security-centric MSPs. The right combination of training, simulations, threat assessments, and AI-based monitoring can significantly reduce the risk of a successful attack.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.