Cyren recently gathered opinions from the Spiceworks IT community membership about the state of email security. We received almost 80 responses and were surprised at what appears to be a general feeling that the respondents are losing the battle against email threats. This comment from CJ Wood, catches this perfectly:
“One would think that an email filter would screen scams and flag e-mails that link to infected WordPress sites, domains unaffiliated with the “sender”, any e-mail that starts with “dear valued customer”, bank e-mails with attachments, etc.”
Throughout February we made the Cyren Email Security Gap Analysis: Aggregated Results report available to IT Professionals in the Spiceworks IT community and posed the question: “Why do you think that current email solutions are not blocking these threats?” Here is a link to the community thread.
The question relates to the findings from the report, which revealed that, on average, 10.5% of email delivered to users after being scanned by their current email security solution was spam, phishing, or malware email.
Below, in a bid to help others in a similar situation, I share a summary of the responses and my observations. (Use of the occasional quote from Spiceheads is done with their prior permission.)
IT professionals believe the available technology is losing the battle
Summary: There is a belief that the bad guys are getting smarter, can adapt quickly to the security measures that are in place, and that it takes time to detect threats and update protection. It only takes one threat to get through and it is game over.
Observation: I agree that much of the email security industry is failing its customers. I believe this is due to a lack of investment that is now being exposed by the increase in ransomware and phishing threats over the last few years. I discussed this in my blog How Do You Know Your Email Security Is Working?
IT professionals are fighting a personal battle against the bad guys and their own email security solution
Summary: Email security solutions are soaking up lots of time. IT professionals are handcrafting spam rules, trawling quarantines and creating blocklists. They are grateful when users forward malicious emails they have received, so they have visibility that helps them with their battle to stay one step ahead. They recognize that they need to respond quickly to prevent spam, phishing and malware reaching their users’ inboxes. Some suggest that the solution is technology that does this automatically.
Observation: Presumably this manual intervention is a direct result of the technology failing. Stopping spam, phishing and malware is why they have an email security solution and it should be automatic. It should just work. If it does not and users are receiving email threats, it is failing them. The IT team’s time should be free to do things that add value to their users and businesses. Few IT professionals receive accolades for managing spam rules.
IT professionals are frustrated with their users
Summary: There is an overwhelming view that users could and should be more vigilant. Steve suggests this in a light-hearted way:
“There’s no solution when the PEBCAK.”
This abbreviation of course refers to the users, as in the “problem exists between chair and keyboard”. Many are trying to address this through user training and see this as a critical part of their defense-in-depth strategy.
Observation: The focus on the user is presumably prevalent because the technology is failing and the manual intervention from IT is a band-aid. If all companies could afford to take a defense-in-depth approach that included ongoing user training, and clearly they cannot, this still leaves a problem – should the onus be placed on users?
Years ago, in a Gartner report, “Why Am I Getting All This Spam”, they speculated about the amount of time users wasted if it took them 5 seconds to recognize and delete each spam email they received. Recognizing today’s targeted phishing attacks takes significantly longer. This is a shocking waste of time. Email security should just block phishing and impostor emails before they even reach users.
IT professionals perceive email security to be a trade-off between protection and usability
Summary: Many people commented on this balance. They are concerned that if they configure more aggressive spam filtering, it could result in an increase in false positives and in turn, support calls, and that users will complain if anything new is implemented. Matt Burakowski perfectly articulates this:
“People want ease-of-use and a platform they know instead of real security. The pushback when you implement any actual security solution is immense, so we can’t do the things that would really help.”
Observation: This balance or trade-off between security and usability has always existed, but should this be the case in the email security world? We have been protecting from email threats for decades. Email security solutions should not negatively impact IT professionals or their users. They should just work. Users should not know they exist. IT administrators’ interaction with them should be limited to easy policy configuration, management reports to justify the return on investment and email tracking tools to aid fault finding in the event that a problem does occur.
Email security can protect, be invisible to users and not be a drain on IT professionals’ time
Summary: Tom Bechtold perfectly sums up the challenge facing email security infrastructures:
“Cybercriminals can create a huge amount of phishing and spearphishing attacks every day and launch them before email solutions can be updated (if they are updated) and catch them. Building a better mousetrap results in smarter mice.”
Observation: The question is can IT professionals create the perfect mousetrap? Probably not, but the email security industry can do a better job of helping them. IT professionals should not give in. Basic layers of security are exactly that – they meet basic needs – and usually only do so if IT admins are prepared to put the effort in themselves with constant tweaking. This is fine for anti-spam, but as many respondents pointed out, it is a big risk if you rely on basic security to protect from today’s sophisticated, targeted phishing attacks.
IT professionals can try to fill the gaps left by inadequate email security solutions by investing lots of their own time, and they can push the onus onto the users, but why are they doing this? There are affordable solutions on the market that can win the internet security race. SaaS or cloud email security from specialist security providers like Cyren provides low total cost of ownership, rapid detection and time to protection.
Cyren achieves this through automated technologies, developed by our threat analyst and R&D teams over 15+ years, that detect threats as soon as they emerge onto the internet. These run in the cloud on a multi-tenant security infrastructure. We believe that we are responsible for protecting our customers’ information, users and devices, leaving their IT teams free to focus on the more visible projects that benefit their businesses.