The future of email security

Tony Pepper at Egress, a KnowBe4 Company, explores the evolving email threat landscape, secure email gateways, and integrated cloud email solutions

Email is the main way people communicate and share information at work, particularly with those outside of the organisation. Statista predicts that 361.6 billion emails will be sent in 2024; a number that will only increase each year.

Everyone has access to email and expects to receive a variety of messages throughout the day (and night!) – making it the perfect attack vector for cyber-criminals. In fact, in the past 12 months, 94% of organisations experienced an inbound email security incident caused by phishing, this is according to the Egress Email Security Risk Report 2024.

Traditional defence: secure email gateway

Historically, secure email gateways (SEGs) have been the backbone of email security, acting as critical filters for emails entering and leaving an organisation. They sit at the network’s edge, scanning for threats using signature-based and reputation-based detection methods.

They’re effective at filtering out known threats – such as those sent from suspicious email domains or containing a previously identified malicious payload – and quarantining them away from the recipient. They’re also effective at filtering spam and provide other non-security functionality such as archiving and journaling. 

SEGs require updates to their definitions libraries when new threats emerge. While this model was effective when threats were less advanced and fewer in volume, today’s landscape of zero-day attacks, polymorphic threats, text-based social engineering attacks, and emails that have been technically engineered to bypass SEG detection has resulted in significantly more phish-reaching employees’ inboxes. In fact, Egress’ threat intelligence shows that 52.2% more phishing emails got through SEG detection between January 1st and March 31st, 2024, versus 2023. 

Additionally, SEGs can only attach static ‘warnings’ to inbound emails, typically letting the recipient know that the email originated outside the organisation and not providing any insight into whether or not it’s deemed safe. The lack of engagement and education results in most employees becoming desensitised to the warnings, essentially forgetting they’re there at all. 

Disrupting the SEG: Microsoft 365’s native security

In recent years, Microsoft has significantly enhanced its native email security. Exchange Online Protection (EOP) is provided to every customer and, therefore, all adopt its out-of-the-box controls. This has massively disrupted the SEG market.

There is a significant overlap in features between Microsoft 365’s anti-phishing controls and SEGs’: both utilise signature and reputation-based detection. Consequently, what’s detected by Microsoft is typically also detected by the SEG. 

This has led to 87% of CISOs questioning the value of their SEG, saying they’ve already or are considering replacing it with Microsoft’s native defences and an integrated cloud email (ICES) solution.

The rise of ICES

A growing proportion of increasingly advanced phishing emails are getting through reputation and signature-based detection mechanisms, and without enhanced email security defences, organisations are left vulnerable.

Leveraging AI-powered behavioural-based detection and zero-trust models, ICES solutions are designed to detect a broad range of inbound threats, such as zero-day and emerging attacks, and those that don’t contain a traditional payload such as malware, as well as highly evasive technical attacks designed to get through traditional detection (such as HTML smuggling attacks). 

ICES solutions can also deliver continuous micro-training through real-time teachable moments. By applying dynamic banners on neutralised threats, they can educate employees about the threats they face, and the tactics cyber-criminals use. Research supports the success of nudge theory in learning. Gartner’s report on Behavioural Economics in Security highlights the importance of influencing security behaviour through audience segmentation and nudge techniques. 

Deploying an ICES solution enhances organisational defences through improved efficacy of threat detection while improving human risk management, helping reduce the burden on already over-taxed security teams.

Microsoft + ICES

ICES solutions are designed to layer on top of an email platform’s native defences and can even overlay SEGs. However, given the overlap in functionality between native defences and SEGs, Gartner predicts that native defences plus ICES will replace native plus SEG. 

Consequently, every organisation deploying Microsoft should also deploy an ICES. Not all ICES are the same and cyber-security teams should assess:

• The AI models being deployed
• Whether the solution can deliver real-time teachable moments
• How it uses the quarantine model and whether false positives create friction by quarantining business-critical emails 
• If using a graph API deployment model, whether delays in service or throttling can result in dangerous phishing emails being left in the inbox
• Whether it also provides intelligent outbound email security to detect data loss caused by human error and intentional data exfiltration

Key takeaways for cyber-security leaders

Stay informed and adaptable: Cyber-security threats are constantly evolving, and defences must evolve at pace too. Regularly update your knowledge about the latest threats and technological advancements. Implement flexible and adaptive security strategies that can keep up with the changing threat landscape.

Invest in layered security: Signature and reputation-based detection alone is not enough to secure modern enterprises in today’s threat landscape. Deploying an ICES solution to overlay EOP enables organisations to stop the broad spectrum of email threats.

Focus on user education: The human element remains the weakest link in cyber-security. Engage and educate your employees regularly about the latest phishing tactics, social engineering, and safe email practices. Utilise nudge techniques and real-time teachable moments to reinforce good cyber-security behaviours and minimise human error.

By incorporating these strategies, cyber-security leaders can enhance their organisation’s email security posture and stay a step ahead of cyber-criminals.

Tony Pepper is CEO and co-founder of Egress, a KnowBe4 Company

Main image courtesy of iStockPhoto.com and Aleksandra Zhilenkova