Is Your Email Risk Assessment Up-To-Date?
The FBI reported in July 2018 that business e-mail compromise (BEC) is continuing to grow and evolve, targeting small, medium and large businesses. IC3, the Internet Crime Complaint Center, estimates that from December 2016 to May 2018 there was a 136 percent increase in identified global exposed losses1. IC3 also reports, based on victim complaints from October 2013 to May 2016, that in the United States alone there were over 40,000 victims of BEC, resulting in losses of almost $3 trillion.
It is important that you update your email risk assessment in light of this growing threat. This is of particular importance if your email contains potentially sensitive information such as protected health information (PHI), personally identifiable information (PII), proprietary information or other confidential information.
The following are some suggestions to consider when updating your risk assessment:
Threats/Hazards. Some of the more common threats or hazards to email are:
1. Email account compromise – bad actor is able to gain access to email account and access and/or exfiltrate sensitive information
2. Spoofing – bad actor sends an email pretending to be someone that the victim knows and exploits the trust
3. Phishing – bad actor sends an email seeking account credentials, bank account information, social security numbers, etc.
4. Ransomware – bad actor sends a payload (i.e. a file or link) containing an encryption routine
5. Harmful files – bad actor sends malicious content in an email attachment
6. Security weakness exploit – bad actor exploits a security weakness in the email configuration allowing system infiltration
Mitigating Factors. Some factors which can mitigate the adverse impact of an adverse email event:
1. Implement multi-factor authentication (MFA).
2. Enable audit logging. (Note that audit logging is turned off by default in Office 365.)
3. Minimize sensitive information in email.
4. Restrict the use of business email for personal purposes (such as on-line shopping and social media).
5. Implement advanced threat protections available in your email system (e.g., a ribbon header warning the recipient that the email did not originate from an internal source).
6. Set up anti-phishing policies.
7. Implement data loss prevention.
8. Enforce records retention policy (e.g., workforce members should be disciplined for policy violations).
9. Back up data.
10. Implement centralized mobile device management and a Bring Your Own Device (BYOD) policy.
11. Regularly train and test employees regarding email vulnerabilities and your information security safeguards.
Your risk assessment should identify the threats and hazards facing your email system. It should then estimate the likelihood of occurrence for those threats and hazards, and the potential impact to your organization. Once the risks are identified and quantified, you should rank the risks and develop appropriate mitigation plans.
1 https://www.ic3.gov/media/2018/180712.aspx