Most orgs fall short in email security, report finds
One key component in two of the most recent high-profile cyber crimes has been criminals’ focus on exploiting the vulnerability of email systems. A report released Wednesday sheds new light on just how vulnerable those systems are.
In its report, security startup Agari found a host of companies that store highly personal data are often behind on email security. Agari poured over 6.5 billion emails over the course of 2014, finding that criminals move unpredictably from sector to sector until their phishing and spamming exploits work. Once an exploit is found, attacks become massive.
“Companies don’t know when attacks will happen, but when they come, they may well be tsunamis,” the report reads.
It has been reported that “spear phishing” — a fraudulent email that contains a highly personalized message — was to blame for the recent Anthem Inc. hack, as well as an attack on Russian banks where criminals stole at least $300 million.
The report measured companies’ use of three email authentication standards — Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) — as well as the amount of spam and other malicious email sent to consumers fraudulently using a company’s domain. Researchers assigned scores to sectors based on their findings.
The health care sector was found to be the most vulnerable. An email from an insurer was four times as likely to be fraudulent as one from a social network, which were found to be the least vulnerable of the sectors measured. Anthem Inc., which announced earlier this month that criminals had compromised as many as 80 million customer records, was among a list of top-level health care companies that Agari considered an “easy target” for hackers. Only Aetna Inc. was noted as taking email security seriously.
Other sectors that were found to have a high number of easy targets were retail, payments (credit card and digital wallet services), U.S. and European “megabanks,” and airlines. Of the 147 companies that were measured, only 13 earned a perfect “TrustScore,” which indicates they are using all three standards of email security.
Even as the report notes that more than 85 percent of U.S.-based email inboxes are DMARC enabled (which rejects suspected spoof emails from entering a system instead of diverting them to spam folders), companies need to quickly move to the new standard as they are likely to be targeted more as they fall behind.
Read the full report from Agari below.