With phishing attacks now commonplace, corporate information security programs routinely train on how to avoid email compromise. However, the frequency of email attacks has dramatically accelerated over the last couple of years. In their most recent quarterly report, the Anti-Phishing Working Group reported the highest level of phishing activity on record: four times the number of attacks since early 2020. Other organizations reported staggering increases in suspicious emails targeting remote workers at the start of the pandemic, taking advantage of changing work habits.
The business impact of phishing activity is not inconsequential. In May of 2022, the Federal Bureau of Investigation released a report documenting US$43 billion in domestic and international financial losses between 2016 and 2021 from business email compromise.
This changing landscape raises the question: how do you enable email recipients to be certain of sender identity and email content integrity? A well thought out digital trust strategy can inject this important layer of security into email communications, making it easy for email recipients to readily differentiate between trusted and suspicious communication.
The foundation of trust in email security is the S/MIME digital certificate. S/MIME stands for Secure/Multipurpose Internet Mail Extension, an industry standard for email signature and encryption supported by most corporate email clients. S/MIME certificates enable users to digitally sign emails, verifying the authenticity of the sender and indicating that the email contents have not been altered. S/MIME digital certificates can also be used to encrypt emails, protecting email communication containing sensitive information from data interception.
The next step to consider is the management of S/MIME certificates within an organization. IT leaders note that when measures that improve security are optional or dependent on actions taken by a non-technical corporate user, adoption can be a challenge. Companies can solve this problem by automating the provisioning of digital certificates such as S/MIME. To accomplish this, companies can leverage PKI management solutions that integrate directly with corporate directory services to automate the installation, renewal and revocation of certificates. This reduces the burden on IT technical support, ensures adherence to preferred security measures or corporate policy, and eliminates any provisioning or revocation gaps that can impact productivity or security.
When S/MIME is used for encryption, there are additional measures needed that benefit from the automation and integration capabilities of PKI management solutions. For example, when using S/MIME for encryption, users need to hold the same private key in the multiple devices where they receive email to decrypt communications. Otherwise, they will be limited to reading email only on the desktop or device where the key is present. Additionally, end-users need to preserve key histories to retrieve email records should laptops or other hardware crash or be compromised. IT security teams managing the PKI infrastructure should support key escrow and recovery to support users who need to retrieve keys or to fulfill legal requests for email histories. PKI management solutions that can integrate with Unified Endpoint Management (UEM) solutions such as Microsoft Endpoint Manager and automatically manage key escrow simplify these aspects of certificate lifecycle management.
Encryption may be required in industries where sensitive data is transmitted by email, such as financial services firms communicating personal financial data or healthcare companies communicating personal health information. It may also be required by corporate policy for specific types of internal or external communications to protect data confidentiality or intellectual property.
Best practices in S/MIME management suggest that when encryption is required, separate certificates be used for digital signatures and for encryption. This is because the key escrow requirements of encryption can compromise the non-repudiation characteristics of a digitally signed email. Companies can also decide whether their business needs require encryption at the individual user level or whether it is preferable to encrypt communications at the point of an email gateway.
Digital trust architects can next consider whether they need to secure email within an organization or between organizations. If email communication is staying within the corporate domain, IT professionals can use private S/MIME certificates chaining up to a private CA or intermediate.
If companies are securing email sent outside of corporate boundaries, then public S/MIME certificates must be used that chain up to a publicly trusted root such as DigiCert. Companies can also consider setting up a public dedicated intermediate CA that can be branded with their organization name. The ICA can chain up to the publicly trusted root but will allow certificates to inherit the ICA branding of the organization.
Companies can also adopt other measures to combat phishing within an organization, such as implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is an email authentication, policy and reporting protocol that helps prevent organizations against phishing.
Companies that have adopted DMARC can use Verified Mark Certificates (VMCs) to display a verified organization logo alongside emails. VMCs validate that a company has implemented DMARC and that the logo being displayed is a trademarked entity of the organization. Email messages with brand logos indicate that the sender has met the strong security and authentication requirements of DMARC and VMCs.
The presence of a brand logo increases consumer trust in the email being sent and differentiates it from emails sent without a brand logo indicator. Some email clients, such as Apple, are going one step further and including “digitally certified” in VMC-related email headers.
Over time, the widespread adoption of VMCs can be another vehicle for enabling email recipients to easily distinguish digitally certified emails from business email imposters.
Brand logos displayed in the inbox are visual indicators that the sender has met the strong security and authentication requirements of DMARC and VMCs.
Finally, companies can look to their DNS service as another key component of their email trust initiatives. DNS traffic is a rich source of data that can be analyzed using machine learning to show what is and isn’t normal for a domain. Traffic anomaly detection can detect and predict suspicious or unusual activity, enabling IT professionals to thwart directed attacks.
With email attacks on the rise, corporate training programs may be insufficient by themselves to enable employees to adequately protect their organization’s confidential or sensitive data or their personal credentials. And with phishing strategies becoming more sophisticated, it can be increasingly difficult for consumers to know when they are interacting with a trusted brand or an email imposter. Implementing a strong foundation of digital trust in email communication can help prevent credentials, sensitive data, or financial compromise. That is where digital trust meets the real world.