Weidman said that one important method of training employees in email security is to send out fake phishing emails. She said that anyone can create such emails for training by using the company’s Dagah software, and she said that a limited version is available for free.
The training can be crucial, because without it, malware and phishing attempts can penetrate a company in surprisingly little time. According to Callon, a new phishing campaign can expect a delay of only 2.5 minutes before the first email is opened and only 4 minutes before the first click. This means that any automated systems must respond almost immediately to be effective.
Adding to the complexity of catching such email attacks, Callon said that everything about them is dynamic, with phishing URLs changing in minutes. This means that many of the automated email screening packages can’t react in time if they’re keying on a phishing URL.
“Within the first hour, 80 percent of the recipients of a phishing campaign have already clicked,” Callon said stressing that security needs to work on that time scale. Cyren sells a cloud-based product that Callon said can react fast enough, but he said that training also helps keep malware and phishing at bay.
But Callon said that there’s a lot more that email security can do to ferret out problem emails than many appliances and filtering systems are doing. Those methods include pattern recognition and metadata examination. “There’s a rethinking of email security going on,” he said.
The problem, as Weidman said, is that organizations need to take email security seriously. And they should. Weidman pointed out that virtually all of the recent breaches have a phishing component that was delivered by email and in many cases the phishing email was also used to deliver malware.
But as employees become more security aware, the threat has begun to morph. “We are seeing phishing move to text messages, Twitter, Facebook and even quick response codes that people can scan,” Weidman said. She noted that mobility makes it worse because it’s harder to identify the threats when they arrive.
The stakes are getting higher, so the need to deal with email, and by extension social media, attacks is becoming more important. A gap in email security can lead to a major data breach including the theft of money or other assets bringing embarrassment for the organization when it has to confess that it was penetrated by hackers. Email security may be boring, but it’s critical to the organization if it’s going to stay secure.