The standard advice is never to click on a link in email. Anti-phishing security software will spot most attacks. Also, password manager software helps create strong passwords and means we don’t need to reuse our favourite combinations, making credential-stealing attacks less dangerous.
While the increase in email attacks is mostly due to the use the basic social engineering strategies designed to make already anxious people feel worse, more sophisticated attacks are also on the rise. Traditional security defences that block emails do it by keeping a list of fake domains and automatically comparing the links in incoming email, explains Dan Fein, director of email security products at Darktrace.
But with the price of domains at almost nothing, attackers are increasingly registering thousands of new ones that security software will not block. Partly as a result, spear phishing – in which cyber attackers go after small numbers of high-value targets – is also on the increase. “We’re starting to see domains being used in email attacks a single time,” he says. “New types of attack will skirt your legacy defences.”
Some spear phishing attacks don’t even contain a link in the first message. Instead they use information collected form corporate web sites, LinkedIn or other public sources to create a convincing email from a “colleague”, or a fake business partner, and establish an email dialogue.
Security providers like Darktrace counter these threats using machine learning to train its software to ask: “Does this email seem to belong?” The software then either holds back the email or delivers it with a warning.
Trust no one
A radical but effective security technique is called ‘zero trust’. It does exactly what it promises: trusts no one, no device and no connection.
Traditional security is built on the idea of a perimeter of trust, explains Mike Wronski, director of product marketing at IT management specialist Nutanix. Access to the company network is surrounded by a firewall. Inside it, every device is trusted according to company policy.
For the post-pandemic workforce, there is no equivalent perimeter. This may make it easier for attackers who have gained access from a remote user to move around inside the company network.
Zero trust implements thousands of tiny firewalls whenever there is traffic from any device to any other, denying access unless it knows that this is a legitimate request. This is clearly extremely secure, but critics point out that building large-scale zero trust infrastructure may be difficult and expensive. And few businesses have a lot of time or money at the moment.
One solution, Wronski says, may be to treat zero trust as a journey, and build zero trust one application or resource at a time, targeting the most vulnerable or highest-value targets.
Balance security with accessibility
One of the most trivial but most important ways security is breached when we work remotely is users turning off complicated or tricky access controls. BlackBerry Cylance (yes, that Blackberry – the original smartphone maker reborn as a mobile security specialist) aims to deliver zero-trust access that users hardly notice.
“A lot of security technologies are reactive,” says engineer James Alderman from BlackBerry Cylance. “We aim to be predictive.” The application uses passive biometrics: it learns how you type, or the distinctive angle at which you hold a phone or swipe a screen. It also checks if the location of your device makes sense, or the time of day you seem to be working. If the application is unsure, it asks for an additional password. If something seems seriously wrong, it locks you out. But if everything checks out, access is quick and easy.
The lesson is that security is often improved if it is easy to use – and implementing some smart biometrics can encourage good habits without impeding productivity.