In this year’s Verizon Data Breach Investigations Report it was discovered that the median company received over 94% of their detected malware through email. Additionally, they found that 45% of email-based malware was delivered via email attachments, such as a Microsoft Office document.
These statistics are certainly jarring, and you may wonder what these organizations are doing to protect themselves. However, it may surprise you to find that most businesses and IT managers rely only upon end-user training and the simple spam filtering built into traditional email clients (i.e. Outlook, Gmail, etc.) to protect their organizations.
While regular end-user training has proven effective, it is still not enough to secure your most vulnerable threat vector. MSPs and IT solutions providers have taken notice of these alarming statistics and are slowly adapting by selling email security as part of their service offering. However, there is still much room for improvement.
Here are some common mistakes we have found MSPs make when they deal with email security and their clients.
1. Not Explaining Email Security is a Separate Offering
Many customers often immediately assume that email security is a basic functionality built into other services (i.e. endpoint or antivirus) or that your basic email clients take care of this for you by stopping spam. If you are left to trust your endpoint to stop ransomware attacks…it is most likely too late. The problem with trusting email clients (i.e. Outlook or Gmail) is that they use passive spam filtering.
Passive filtering means messages are evaluated only on pre-determined parameters. It simply assesses if it has seen this format of message and/or attachment before. The message itself is not analyzed by itself and is only cleared on reputation alone. This will allow malicious actors to pass standard messages through such as graymail (i.e. newsletters, promotional emails, etc.) that they have or can later weaponize.
Modern email security solutions use active filtering and other features to stop advanced attacks from making it to end-users. Active filtering examines each message individually, looking for inconsistencies in both the message body and sender information. It additionally will pass it through multiple layers of scanning, examining it for traits that are common in malicious messages. Sometimes advanced solutions will even sandbox messages and attachments, opening them in a virtual environment to see if they are truly destructive.
Ultimately, it is important to explain to current and prospective customers what each solution does and doesn’t do. MSPs need to stress the necessity for email security and advise clients to deploy it. Cybersecurity services should always include defending email.
2. Not Educating Clients About Why They Need It
While certain businesses such as those in the healthcare and financial sectors are required to use an email security solution by federal regulations, all businesses can benefit from them.
Cybercriminals are targeting all types of businesses and organizations and go after SMBs just as often as large enterprises if not more. Even though the threat actor would make less money on a SMB haul than they would on an enterprise, SMBs are often easier targets which can be attacked at quicker rates. This is because many don’t employ proper cybersecurity measures.
SMBs often decide that instead of deploying an email security solution, they’d rather deal with a cyberattack if/when it happens. It is up to the MSP to show them the MANY real-world examples of what it will cost an organization to recover their data and systems.
Email security only costs a few bucks per user per month but an email-based ransomware attack can cause even small organizations to spend anywhere from $400,000 to over a million dollars depending on the response route they take.
3. Believing End-User Training is Enough
If you spend any time in a cybersecurity forum you will undoubtedly hear IT professionals talking about the benefits of end-user training. We are in no way knocking end-user training, in fact we fully endorse MSPs and IT admins using the numerous innovative solutions available today. What we are saying is that end-user training is simply not enough to protect your organization.
Threat actors are getting smarter, more innovative and quicker in how they attack via email. Even the most well-trained end-user can still be duped by a skillfully crafted phishing message.
In a recent study, the United Kingdom’s Information Commissioner’s Office determined that 4 out of the top 5 causes of data breaches can be attributed to human error. So, we ask, why leave the security of your most vulnerable threat vector to the decisions of a non-IT staff member?
Email security solutions ensure that malicious messages very rarely see employee inboxes. This effectively takes the human error element out of the equation. While you can provide a myriad of educational opportunities on how to best identify potentially malicious emails, nothing beats the ability to stop a threat before it even hits an end-user.
To conclude, there are a myriad of mistakes that MSPs can make when it comes to dealing with email security. However, the biggest mistake they can make is ignoring it altogether. As long as threat actors are able to find value and profit from a threat vector they will continue to attack it. It is imperative that MSPs assist their clients in understanding what email security is, how it benefits their business, and what value they can derive from it financially. It also makes sense for MSPs to deploy email security themselves as managed service providers have become targets for skilled hacking groups seeking entry into multiple businesses.
Free Trial
VIPRE Email Security Cloud is an industry-leading email security solution that delivers unparalleled protection from advanced email threats and accidental or malicious data leakage via email. With VIPRE Email Security Cloud you are protected whether you are in the office or on the road, no matter what the device may be. Learn more about VIPRE Email Security Cloud today and contact us to take a free 30-day trial with any of our award-winning cybersecurity solutions.
Kevin Raske is a marketing specialist at VIPRE Security and parent company J2 Global. Read more VIPRE Security blogs here.