Email has long been the number-one vector for cyberattacks, and remarkably, it is escalating quickly. One statistic that still startles me when I see it: the rate at which cybercriminals are targeting organizations with phishing attacks soared 80% in the healthcare industry alone in just one year.
While phishing awareness training is an option, I believe that teaching enterprise users to recognize phishing emails as a primary enterprise mitigant is insufficient and results in a growing lack of trust for email messages from enterprise users—a problem that has other business consequences. Training enterprise users so only 10% of them click on email phishing bait, which is considered an achievement for the phishing testing/training, is simply not sustainable over the long term. A more effective approach is to apply a few innovative controls that do not rely on enterprise users to recognize phishing emails but instead limit the fraudulent emails from business email compromise (BEC) scams, spear phishing attacks, and email-based brand impersonations that victimize businesses and consumers. The net effect is more trust in the email system and less fraud.
For example, filtering inbound email using specific attributes for the sending domain will eliminate additive fraudulent emails in addition to what the email gateway and SPAM filters block. Dropping emails that originate from newly registered domains for 48 hours also eliminates fraudulent email from being delivered to enterprise users. But the last control is perhaps the most effective against fraudulent email originating from both imposter accounts and those authentic accounts with compromised credentials by using a machine learning algorithm to filter inbound email that does not match previously used patterns, thereby blocking phishing attacks.
According to the Verizon 2019 Data Breach Investigations Report, healthcare is the number one most targeted private-sector industry. In fact, it accounts for 48% of all breaches with more than a third of all data breaches traced back to a well-targeted phishing email. This includes as many as 353 major health industry breaches involving the theft of personal identity information (PII) on at least 13 million US citizens.
And the financial services industry is not far behind. Over the last year, there were nearly 600 reported incidents, with 146 confirmed data disclosures. The largest growing trend? Social engineering attacks against employees in the form of phishing. When you consider how profitable healthcare and financial information can be, it’s easy to understand why both sectors are facing such an unrelenting onslaught.
Thanks to a thriving underground market for stolen identity information, data from healthcare breaches can fetch top dollar. That’s because health files can include patient names, addresses, birthdates, social security numbers, credit card numbers, and drivers’ licenses. They can also include insurance documents, doctor licenses, doctor’s diplomas, DEA licenses, and more. According to Experian, this kind of data can score anywhere from $1 to $1,000 per file on the dark web.
The same can be said of financial services breaches, which oftentimes include the names, addresses, social security numbers, and credit cards numbers mentioned above—but also banking account details, credit limits, loan history, and more.
The cost to organizations can be astronomical. According to Ponemon Institute’s Total Cost of a Data Breach report, the costs associated with a data breach now average $14 million per incident—nearly double the average costs across industries. But averages don’t tell the whole story.
Following the 2015 data breach that compromised 78.8 million patient records, for instance, Anthem Inc. paid $115 million to settle a class-action suit and a $15 million HIPAA settlement. And it was precipitated by a phishing email landing in somebody’s inbox. In some instances, the consequences of breaches that result from these attacks can even include criminal prosecution.
Today, it takes roughly a minute and a half for a phishing email campaign to successfully find a victim. While secure email gateways (SEGs) and other email security systems are effective at detecting malicious links and malware-infected attachments, they’re defenseless against today’s most advanced email threats. By mining contact databases, company websites, LinkedIn profiles, and more, fraudsters can now produce highly-personalized, plain-text emails that are designed to throw recipients off kilter just long enough to cough up login credentials before thinking to confirm a message’s legitimacy.
Email is so effective for cybercriminals because it is an interface with people who can be caught off guard and manipulated. This type of crime works and unfortunately for all of us, it’s not going away anytime soon. In fact, it just keeps getting worse. Just as with other aspects of security, the enterprise today needs the capability to stop attacks, adjust tactics, and to understand the modalities being used against it. It needs the ability to bring trust back into the email ecosystem, which is exactly what the Agari Secure Email Cloud is doing through its innovated AI-based approach to identity.
I believe in using controls that add trust to email, rather than extracting trust. I believe in giving employees the ability and confidence to open, click, and act on everything that hits their inbox. I also believe that using data science and specifically machine learning algorithms applied to front-line security controls represent the future for enterprise email security.
In my view, this is fundamental to the agenda of every CISO today, regardless of industry. It’s also where Agari comes into the picture for me and for thousands of my peers dealing with the same problems.
To learn more, read the official announcement on Jim Routh’s appointment to the Agari Business Advisory Board, here.