Shortcomings of Email Security: Why Do So Many Cyberattacks Still Begin with an Email?

Email is the preferred method of business communications, a trend that has only been magnified by the remote work environment brought on by the pandemic. Cybercriminals are readily taking advantage of this increased reliance on email for business, along with common weaknesses in traditional methods of securing business email.

While cyberattacks are increasing across the many threat vectors, email still remains the most common channel for opportunistic and targeted attacks. Over 90% of all modern cyberattacks are initiated via email.

As attackers continue to advance and increase the sophistication of their methods, tactics, and techniques, static, single-layered email security defenses like endpoint security solutions and the email security mechanisms built into Microsoft 365 no longer provide sufficient protection for organizations. As a result, many companies remain highly exposed and are often unaware that their security solutions are inadequate until they are breached. This article will examine why email remains the preferred method of attack among cybercriminals in 2022 and how this trend impacts all businesses.

Technology Gaps in Email Security Defenses Result in Low Detection Rates & High False Positives 

Challenges of effectively protecting against the different types of advanced threats include advanced phishing and spear-phishing attempts that leverage multiple evasion techniques, impersonation attempts, sophisticated ransomware attacks, account takeover, zero-day vulnerabilities, etc. Many email security systems are not equipped with the necessary technology to detect today’s increasingly sophisticated threats and widespread technology gaps often impact detection rates.

Relying on signature-based antivirus software is not comprehensive, hackers can easily evade programs that identify potential malware by modifying their code in ways antivirus software can’t detect. Codes that are new or rare also cannot be detected if they aren’t logged in the database.

Packers are programs that hackers use to hide malware, making it difficult for analysts to access the original code and analyze it.

Sandboxes are slow and often bypassed despite being a common approach for dynamic scanning. Advanced malware can be challenging as specific variants may require command lines in order to be executed, or lay dormant before commands are executed. Sandboxes are unable to run this type of malware as they lack command-line options and don’t allow enough time to detect the malicious command lines.

Limited System Agility Interferes with the Detection of Advanced & Emerging Attack Vectors

Many systems lack the flexibility to learn and adjust threat detection techniques and algorithms based on the changing attacks seen in the field, resulting in increasingly low detection rates. In order to be effective in protecting against evolving and emerging threats, technology must be flexible and agile enough to support new logic and rules added by the vendor and customers’ IT administrators to increase detection rates. New logic and decisions and new phishing site URLs can be dynamically deployed to instantly prevent future attacks.

Inadequate Incident Response Infrastructure & Resources

Good communication is a necessary element between your company's IT team, the security vendor, and the end-users. The role of the Incident Response team is to achieve the best detection rate and lowest false-positive rates by keeping the window of communications open between the three parties involved. That said, the response team requires expertise due to the challenges from companies to dedicate sufficient in-house time and resources to properly manage the growing number of incidents. When Incident Response resources and infrastructure are lacking, organizations cannot gain nor leverage the knowledge from the suspicious attacks that may have bypassed their system for continuous optimization.

Email Protocols Are Messy & Complex

One common challenge organizations face in regards to the effectiveness of their email security is the failure to properly configure protocols, such as SPF, DMARC, and DKIM. SPF, DKIM, and DMARC are standards that are put in place for systems and devices to improve communications as well as verifying sender identity and confirming the legitimacy of email messages. An organization can implement DMARC, but it can’t control the amount of security that is adopted by the ecosystem of business partners.

Lack of Visibility Makes it Difficult to Measure System Performance

Key performance indicators that measure false positives and false negatives are an important tool for an organization in understanding both the efficiency and accuracy of their business email security system. However, this is not often an easy task for a company to set up KPIs. False negatives are malicious emails that have found a way to bypass security, and not all solutions provide a proper way to view the statistics. This results in many companies having the “feeling: that their solution is underperforming, but lack the proof in data to back up the claim. The lack of visibility is mainly attributed to ineffective handling of the slow security incidents or proper support in solutions to retrieve the correct number of incidents.

Key Takeaways 

In contrast with other communication channels, securing business email is more challenging due to the reasons discussed in this article. That being said, with over 90% of all cyberattacks beginning with an email, email is also the most critical channel to secure. We have free email security tips and resources to help your organization bridge the email security gap.