¶ Evolution of Email Security in 2024
From our headquarters in Oslo , norway , and on behalf of our host , robbie Perelta . Welcome to the Mnemonic Security Podcast . You are the weakest link .
Goodbye , a famous punchline that all the cool kids remember from that show in the early 2000s , but when I hear it these days , it kind of makes me think of some algorithm preventing a malicious email from landing in an inbox . It probably also means that I'm just not cool anymore , and even if we hate email , we got to use it .
And as I speak , thousands of people around the world are plotting and planning on how they're going to get you to click on something and enter your credentials . I'm pretty sure the advanced actors don't even need you to enter credentials these days , but that's another thing .
According to my LLM , microsoft and Google handle 500 billion emails a day and have huge security teams to prevent bad stuff from happening in your inbox , but experience shows that you can't catch them all like Pokemon . So a modern approach to email security requires more than just prevention .
In fact , there's a lot of things to consider these days , so I invited a friend of ours to come and provide proof to their points around email security . Matt Cook , welcome to the podcast . Hey , how you doing ?
I'm doing lovely . How about yourself ? I'm doing very well . Thank you , sir . Very well indeed . I'm looking forward to the chat today .
Been looking forward to this for a while I'm not sure what this is going to end up being . 115 , 116 episodes and , believe it or not , you're the first marketing person on the podcast .
So I'm going to count how many times you say AI . I actually can't believe that you've not ever had any marketing people , because I know that there's a lot of people out there like me that kind of hide marketing behind their job titles . Right , so I've been outed . That's how it goes .
And I'm just kidding , you've been a consultant pretty much your whole life , so that's a very interesting career path move .
My background is actually I was hands on IT . I used to run an IT team , I used to do a lot of the work myself , and then from there I kind of re-evolved through a whole bunch of different vendors , you know , before finding my way to Proofpoint .
And hey , I'm just giving you shit . I saw that you came from the technical side , so if you were just marketing your life , I wouldn't make that joke . I know no exactly , and also it'd be the pot calling the kettle black . I'm a sales guy working with marketing , so I'm probably the worst of anybody .
Oh yeah , well , there you go , we're both imposters .
Wolf in sheep clothing , right . But hey , as you know , we have a tendency in security to hop on the new and cool bandwagon , right .
So you know , these days one thing I hear a lot about in these walls or when a lot of stuff we're doing incident response on right is like Internet facing appliances , vpn gateways , and it's almost like if I hadn't been in security for nine years I would almost think that , like email security is kind of like over , like a thing in the past we solved that .
I would assume that's not the case .
That would be great if we did , though , wouldn't it Right ?
What's the status of email security in 2024 ?
Do you know ? It's constantly evolving . And you're right because you look at it from the outside and you think , hey , email security , that was done right . We used to buy an appliance and stick there and it used to do all that for us .
We filtered everything and then all of a sudden , we went cloud and we went I don't know , know , maybe most of us went office 365 and your google workspace , whatever it happens to be , and they kind of did the email thing for us , and so we all thought that that problem was done .
Um , but the reality is it hasn't , because it's , if you think from a from a cyber criminals perspective , like the most
¶ Evolving Strategies in Email Security
.
The easiest thing for me is actually to get you to do bad stuff for me , right , because if I've got to sit there and try and exploit a zero day and try and hack into a system , whatever I've got to do , that involves a lot of work , and if I'm burning those zero days or burning the use of those vulnerabilities , that's a challenge that's really expensive for
me . What's really easy for me is to effectively be a grifter , is to turn around and try and con you into doing stuff , and that hasn't changed because that can scale right If I can get you to click on a link , if I can get you to give me information , if I can get you to send me money , then you know I'm achieving .
I'm out there , I'm winning as a cyber criminal , and so the way I communicate with you , well , it's ubiquitous , right , it's email . We've all been doing it , and so the job of the cyber criminal is actually just to evade those defenses .
And so the job of email security and email security as a platform , really , rather than just a single thinking of a single box , it's actually kind of much bigger than that . Now it's to try and stay ahead of that .
It's to try and spot some of those social engineering techniques , not just like , hey , it's a bit of malware , it's a virus , whatever it is , it's actually someone trying to trick you into doing something . That's a much harder equation to solve , for sure .
So email is still in a threat vector . That's increasing , or what do the numbers look like there ?
Yeah , I mean it is and you know . You only have to look at like all the standard reports .
I think Verizon came out was it a month or two ago with their data breach report About 76% of all incidents had some kind of human element involved in them , because , for the reasons that we just explained , right , you're the one that's being targeted rather than anyone else . It's not systems per se . It's just much easier to target you as an individual .
So those risks are kind of increasing . And then , similarly , you throw in the mix the types of risk . Clearly , if I compromise an account , that could easily lead to ransomware we know that's a big challenge , we don't need to kind of go and chew over that one again .
But business we call this thing in the industry business email compromise , which is more like this imposter fraud right , and me trying to trick you into sending money um , that is is massively on the rise . Unfortunately , that's one of the biggest areas where companies are losing money .
Um , because it's just simple social , social engineering and often actually involves , you know , accounts that have been taken over . So so I guess that those are the reasons . I guess that the market has evolved and everyone thought that actually what we had was good enough and actually now everyone's realizing , no , it isn't good enough anymore .
The market kind of evolved to saying , hey , we've got this package with , let's say , microsoft 365 or Google Workspace , includes email security , but we need something else .
And so the market said , well , okay , let's try and do this thing called post delivery protection , where you know we can bolt a product onto behind that technology and start looking at emails after they've arrived in inboxes and trying to work out what's good and bad .
Um , but , very quickly , I think the market evolved again and said , hey , actually that's still a problem , because that's that's actually too late If you think about , if you think about that like , like , if I want to send you an email and get you to say , to click on a link and give up your details through credential phishing or whatever , if that email's hit
your inbox , I reckon I don't know , I feel like you're like an inbox zero kind of character , right , if it pops up , you click on it , you're there , right , and so that's how people work . And so just relying on this post-delivery protection becomes a bit of an issue .
And I think yeah , that was again that was kind of brought out in some of the stats recently . I think it was again in the same Verizon report . They said that within 60 seconds , if you're likely to engage with a phish , you're likely to have done everything like given up your account details within 60 seconds of it arriving in your inbox .
Yeah , and then , in fact , our own research . We see that , like one in seven malicious URLs that land in the inbox get clicked within 60 seconds as well .
And so- . Maybe that's why they disabled links . I can't press a link on my phone , at least .
Well , that's why they disabled links . I can't press a link on my phone at least . Well , that's probably one of the reasons . Yeah , and organizations look to do that in a different way .
I mean , some companies will just completely disable them , some will put into isolation , some will build in click time protection , but interestingly that then becomes a real key part of your overall I guess email security package , if you like . So you start off with actually saying I guess email security package , if you like .
So you start off with actually saying we can't just , we can't just let the bad stuff arrive in the inbox anymore and deal with it there . We now need to focus on what pre-delivery is . Let's keep more stuff , more bad stuff , away in the first place .
In other words , let's do a better job than that kind of good enough protection that we thought was good enough that's packaged in those productivity suites that we use . Let's put something up front that says actually stop all the bad stuff there . Then let's do something post-delivery , just in case .
But equally gives us the capability to remediate if something bad goes in . But we also need to build in click time protection for exactly the reason that you said , because you click on things on your phone because you click on things . On your laptop , you click on things . Yeah , it's just our nature , it's what we do .
So and I think you know , going back to your original point , how's the kind of the market evolved ? And that's how it has evolved .
It's evolved from just being , you know , one piece of technology to actually now being multiple stages of pre-delivery , post-delivery , click time protection , which covers the suite , I guess , if you like , and gives us that platform to protect your people , because that's what we're in the business of . It's not email security anymore , it's people protection .
Layered defense , yeah , cool . I know for a fact that one of my friends I asked him like , hey , what would you do if you didn't work in Mnemonic ? And he was like probably like a researcher , maybe somebody like Proofpoint was like , okay , wow , so they must be really good at what they do .
Nice , one of my colleagues here in mnemonic that said that okay , uh , and obviously , please , no , you cannot have him , no no , no , he's awesome , no , but uh , that made me think , like , obviously they're good at threat intelligence , right , and I know that obviously , if you know , you must be collecting huge amounts of data .
Yeah , just a few words , I'm not even going to I don't even know how to phrase the question , but like threat intelligence for proof play , what does that mean ?
Yeah , it means everything . Actually , we see billions of emails every single day . I mean the volume of business to business and business to consumer emails that we see on a daily basis is astonishingly huge . But that gives us all of that intelligence , right .
So a lot of our technology does also get put into some of the ISPs and some of the big platforms out there as well , in various different ways . And it is that breadth of visibility , the volume of messages that we see , and then what we do with that is you learn . You don't just learn hey , that's a bad IP address sending out a load of spam .
Yeah , that's one of the things you can learn . But , more importantly , you can start to learn behaviors and profiles and you start to understand . You know , there's a really , really good example , just recently actually , of an organization that was a retail company .
A retail company that sold essentially chairs , tables , that type of thing , and in order to sell them they had to deal with a company that made them right . The manufacturing company really small industry kind of , you know five , ten people , something along those sorts , uh , that sort of size made the furniture , gave it to the retailer . Retailer sold it .
Once a month someone in the furniture manufacturer sends an invoice to the retailer , someone in the manufacturer's account gets compromised .
Right , they got done with the phishing attack , the account , the account was taken and the sort of behaviors that you see right now is , you see , a cyber criminal is basically just going to sit there and look at the inbox and in fact , look at the outbox and look at the conversation threads and realize that once a month they send invoices and so when that
thread happens , they jump on it and they hit reply all and it goes back through right , and so at that point the attacker's actually sending emails as if it were directly from that account , and so you're expecting it . Everyone's comfortable with the conversation . It's completely normal .
The only thing that's not normal is the attacker's actually saying in the message hey , the bank account number's changed because we're having an audit at the moment . Can you send the money here instead ?
Now , if you look more closely , what they've also done is perhaps set the reply to address to be a domain externally , um , so that when the reply comes in , that conversation now happens to an external domain and it's not on the internal systems and it therefore evades detection . But what's essentially what's happening ?
There is an account , compromise has led to a what we call a business email compromise scam . Basically , you've lost a lot of money , right , your money's been sent to the wrong place . That's the type of challenge that people are dealing with . Now . How do you spot that becomes the real , real challenge for organizations . Because the message itself looks normal .
There's nothing different about it other than the bank account number changed about it , other than the bank account number changed . And so a lot of what we're doing is around that intelligence piece and understanding context to say , yeah , matt and rob email on a regular basis and yeah , occasionally they'll talk about invoices .
And yeah , actually , um , sometimes those numbers change . But this level of urgency being applied by matt is unusual . And so maybe we'll put a little banner across your top of your message and say , hey , just pay a little bit more attention to this , because this is maybe a little bit unusual . You need to just look into the details .
Or , you know , maybe it turns out that actually we detect that Matt's account has been compromised . From that point , you know , we make that decision and say it really does look like it's been compromised .
But now when Matt starts to try and email that other retailer , the competitive retailer they've also got business with , they've already had a warning in advance , and so they can almost see that , actually , that that threat is going to come through , and so that they can take action to block it straight away .
So I guess the point is there's never , ever , just one thing , but what we're doing right now , and what that intelligence gives us , is the understanding of content and context to be able to make those decisions around those social engineering threats .
And I would assume that to be able to build that , you're doing like natural language processing , you're looking at , like the , you're using machine learning to like break down the sentence itself and say urgency , looking at all the different factors and those together make a banner come up .
Yeah , so you said you were going to talk about AI , but yes , yes , because that is exactly it . Right , yeah , it is . It's using essentially machine learning models . I mean , machine learning has been working within email security platforms for a long , long time already .
But what the benefits we've got right now is that we can take some of those large language models , that , because they're much more freely available and you know we work quite extensively with a few of them and we build some of them around and use others as well that helps us understand that context a bit better .
That helps us work out what is the intent here . Is this conversation typical ? Can we , can we get those indicators from it ? And ? And so , yeah , absolutely that helps us do that at scale .
¶ Dynamic Adaptive Controls for Email Security
And again , we're now able to sit in line and do that pre-delivery , and so if we can make these decisions actually are based on content and context as the email's coming through , then all of a sudden now we can stop a vast majority of these types of threats actually landing in the inbox .
And so , where the market you know previously had evolved to saying , hey , we need this post delivery thing looking at just for these business email , compromise email emails . Actually , that's not good enough .
Now we're doing that I use a marketing term at wire speed um on pre-delivery right Because the messages are coming through and that's kind of huge because that's , I guess , what the advances in AI have meant to us Cool .
So do you have lockdown mode on your phone , assuming you have an iPhone ?
No , I don't actually .
Okay , so one of the things about lockdown mode if Apple sees something new , they have so much control over their telemetry like oh that's new , block it . Or it goes to their like super , super shock or their IR team . Right yeah , does Proofpoint have something like that in place for emails , like stuff that you've ?
You know , you've never seen this and I guess it racks to the AI machine learning discussion .
Well , it kind of is . Yeah , and actually one of the best sources of telemetry is actually all the bad emails that we're seeing . Right , they're hitting your organization . Because that can tell us like who's targeting your organization right , which criminal gags are kind of after you at the minute . What are the type of scams that we're seeing ?
What are the objectives ? Are you facing ransomware threats ? Is it what the objectives ? Are you facing ransomware threats ? Is it business email compromise ?
But also it tells us who's going to and we can endow and now say , hey , robbie is currently being targeted by a number of different criminal gangs with business email compromise threats , because they've worked out that actually he's not a salesperson like he said he was , he works in finance , he's got access to money .
Um , you know , he's got access to money , he's got privilege , and so we're going to target him with those scams .
Now , of course , we can start to see that in through the intelligence and based on that we can almost grade and score all the bad stuff that we're seeing and blocking and say , actually , that now gives us an indication to say , actually , robbie is one of our very attacked people within the organization .
And very attacked doesn't necessarily mean just volume , it doesn't mean that , hey , you're getting tons of rubbish coming at you , coming your way . It means that really unique stuff as well , maybe just that one threat that was completely unique , we'd never seen it before . And so all of a sudden , your very attacked people score rate goes up .
The algorithm says , hey , you are now kind of pretty high at the top of the list , and what you've got there then is a list of essentially where your risk lies within the organization , because underneath that we can also take a view as to do you have access to money ? Do you have access to data ? What's your privilege look like ? Are you an admin ?
Those types of things . If we can factor that into the algorithm now we can say , okay , they're vulnerable , they're being attacked and they've got privileged . That is risk .
That's where we can kind of then center that risk in an organization , and in fact , one of the great , we've got this super cool thing called the Nexus People Risk Explorer , which is a Venn diagram of risk , and it shows those people that essentially present the most risk for the organization right now , right in the middle , and you can then apply better controls
over that . So you talked about lockdown mode on your phone . One of those controls could be hey , you're in the VAP list .
Well , we're going to now tell your authentication gateway that who's in that list automatically and so that you might be required to reauthenticate a couple of extra times during the day when you're logging into various different websites , rather than using cash credentials . Or maybe we apply that to isolation . You again , you talked about links on your phone .
Anyone in that vap list will any link that gets sent to them right now . We're going to isolate that , so they've got click time protection on everything . Or perhaps we'll force all of their web traffic through isolation .
Um , and that's just just examples of some of the controls that you can kind of do , because that that actually it opens the door to pretty much anything , because that information that we can offer up through apis and we can then hook that into your other reporting tools within your security ecosystem to say , yeah , here's where we think most of your risk is right
now , at this moment , on this day , at this time , and it's always there and it's available for you and you can then utilize that how you need to . So , yeah , those lockdown kind of we call them adaptive controls , I guess is kind of what we refer to them because it's dynamic , because the risk profile of the organization is always changing .
Very interesting . Tell me more about the very attacked people . I would assume , like you said , finance developers .
I would also assume , salespeople just because we're just clicking on shit , true , I mean .
True , I mean , quite often you tend to see a lot of VIPs in there , right , the important people in the company , the execs , more often than not because their name is out there , right , and everybody knows they've got privilege and stuff like that , so they will tend to float up there . But certainly you'll see a lot of finance in there .
You often will see a lot of HR in there as well , hr dealing with people , information , right , a good source of data that criminals are kind of after .
Um , but , as I say , it's quite dynamic and you'd be surprised how much it can change on a fairly regular basis , um , but when , once you factor in things like vulnerability and privilege as well , it does add a little bit of stability to that list , um , because you know . You then need to know if where to target your training .
You know , for example , another one of those adaptive controls might be hey , let's . You know , for example , another one of those adaptive controls might be hey , let's . You know , sales people are always clickers .
Let's make sure that that we keep them up to date with their , with their awareness training , that we feed them those little snippets every now and again , just to keep their knowledge levels up and their awareness levels up . So , yeah , and vaps is um , it's an interesting concept . These are people that we currently think are imminent targets within our business .
I mean , this is what we're doing about it and these are the controls that we're putting in place , and it can be really powerful to help optimize the risk within an organization
¶ The Platform Play in Cybersecurity
.
I got an email from my probably shouldn't be saying this , but I'm saying it anyway . I got an email from my salary department and they were like this can't be you , right , smiley face . And it was like you know .
Obviously it was from the super shady Gmail , but it was written in perfect Norwegian and it was asking my colleague to change my account number for my salary . Right , and she laughed because she was like it was written in Norwegian , that's obviously not you , perfect Norwegian . So I was like ow , but yes , that's not me , you know .
The good thing about that is your colleague immediately thought yeah , this is not right . But if you think about that from an attacker's perspective , if they can scale that , yeah , that's worth quite a lot of money . And again , those types of scams are incredibly annoying , but incredibly popular as well at the moment .
So the million dollar question I think one that everybody in this podcast would appreciate hearing is like why doesn't microsoft just get their shit together and do what you're doing on their side , since they are like the default uh choice included in the package , right ?
Uh , yeah , I know that microsoft has a big threat intelligence team that does a lot of the similar work that you guys are doing , right , of course , so course . So why does Proofpoint exist ? Yeah , I don't mean that in a negative way .
No , absolutely . Yeah , I'll answer the question with a question why doesn't Microsoft get their shit together ? Absolutely ?
I mean , I like it that they don't , because actually it means that there's an ecosystem that can kind of focus on doing the right thing with protecting people and is not necessarily just focused on , you know , building that productivity suite , and I think that's kind of that's the balance is .
You've got , you know , I'm using it right now , right , office 365 , using it every single day and it's awesome to a certain degree . There are things we don't all like in there , but there are things we love right , it works , it's ubiquitous . So there are things we love right , it works , it's ubiquitous .
So there are things in there , like , imagine , I stick a file on OneDrive and I decide , hey , robbie , I need to send you the PowerPoint presentation , I'll just share it with you . On OneDrive , it's fine , you get the link . That kind of comes through .
There used to be a time in cybersecurity where you know you'd look at , you'd basically tell people when you get an email , hover over that link and if it looks legit , okay , click on it . If it looks a bit dodgy , don't do that .
You can't do that with OneDrive or a SharePoint link or anything like that these days , because there's these massive , great , big , long links and they're really hard to understand . Of course , attackers know that . Attackers know that we're all using Office 365 . They know it's ubiquitous . So what do they do ? Well , they abuse those technologies as well .
They actually launch their campaigns . They'll stand up a 365 tenant , they'll share malicious files in OneDrive , they'll use the tools that we're using against us and , of course , that then becomes incredibly hard for someone like Microsoft to be able to defend against , because essentially , the attackers are using their own platform to attack people on their own platform .
And so you get to a point where you actually need to look at security slightly differently and say , actually , are they best placed in order to defend our people ? And the answer for most organizations is often no , because actually there's huge value to be had in that whole .
Everything that we talked about and it's not just email security as being one product anymore , it's pre-delivery , it's post-delivery , it's click time protection , it's that complete story . It's also security awareness training . It's also how we integrate with all those other pieces of technology in your security stack .
It's all of that that now becomes , you know , effectively email security is now a platform platform , if you like , um , rather than one piece of technology and and that's something that you know organizations like microsoft that are building those suites .
They don't necessarily get that , and I think that's part of the reason why , um , they , you know they do a good enough job to keep bad enough stuff away .
It's okay , but it's not stopping any of this , um , all the types of threats and things that we we talked about , and and organizations are not getting those values of understanding where their risk is and ultimately mitigating human risk with marketing terms . I said I'll try and pretend not to be a marketing person .
We call it human centric cybersecurity because that's ultimately what it is right . It's protecting people .
Yeah , they have this super complex environment now and I guess they're . If they were to get their shit together , you know Proofpoint would be struggling , CrowdStrike , all these other companies that we know and love , would be .
But would they ? I mean , I wrestle with this one because I think about that and I think actually would they if they really did , you know , if they really really did a really good job ?
Are we , as cybersecurity professionals , happy to put all of our eggs in one basket and say do you know what Microsoft to have everything and become now not only the platform that we use , but we're the platform to protect the platform that we use , and I don't know ? I think I see that . Yeah , I think that becomes a problem .
But we both can agree that people are gravitating towards a platform play now 100 ? Yeah , no 100 , but then your point stands , even more importantly , that you should use something else to secure if you're putting everything in the platform . Yeah , no absolutely .
I mean , you're a salesperson , right , you understand that at the minute people are looking at consolidation . They're saying , actually , can I reduce the number of vendors that I work with and and get actually these larger platforms in order to protect my organization ? And to a certain degree we see a lot of that happening with .
I guess SASE is kind of one industry where that's kind of happened , where you know zero trust is kind of combined into SASE and people are looking at hey , have I got one platform play there , Maybe on EDR ? You mentioned CrowdStrike , you know SensorOne and all those other good vendors that are doing some great stuff on the endpoint .
That's almost a platform play there as well from an EDR or managed detection response , XDR type stuff . And then you've got what we've just described as human-centric cybersecurity as well , and I think that's the third platform .
They say identity is new perimeter . How does identity have a relation to human-centric security ?
It comes in a number of ways . So one is , account takeover is a real problem . The biggest source , I guess , of account takeover is usually credential phishing .
We see things like multi-factor authentication phishing kits being used , where we all thought that that token would prevent people taking our account over , but actually it doesn't see some of these reverse , proxy phishing attacks . We're actually logging into the main websites and they're just stealing our session tokens and taking our accounts on from there .
So that's a problem . And so again we're hooking in via APIs into Microsoft and actually working out , say piecing it all together . Say phishing came in . We know Matt clicked on phishing link . After Matt clicked on phishing link , a rule was set up in outlook that says redirect emails to this place or something along those lines .
Or maybe a login happened from this particular site or even another one , a third party or application . You know those plugins to outlook that we love to use , like to schedule a meeting or to book a Zoom or whatever it happens to be . When those accounts , we see those apps kind of getting compromised and actually have permissions to the accounts as well .
So being able to monitor that all forms part of the human-centric story , because we need to control identity , and identity's at the center and identity's at the center . And it actually then goes beyond that as well , because if you get to the point where , oh , my account's got compromised , that as well .
Because if you get to the point where you know , oh , my account's got compromised , I've got a small problem .
We now need to stop that small problem becoming a much bigger problem and the attacker ultimately is going to look to try and escalate privileges on the device , move laterally within the organization , before it then moves on to data , because it then finally gets into data loss . And you know , data loss also forms part of that whole human surgery piece as well .
¶ Importance of Email Authentication Standards
I want to come back to data loss , but I had a colleague . He told me that I had to ask you about . I keep forgetting what it was . It's probably because I don't understand it , but it's DMARC , dkim , spf , these things . What's happening in the world right now that makes those important ?
So these are email authentication standards , right , and what they allow us to do is to say , okay , that email that we've just received , it came from a place that we know it should have come from .
In other words , this isn't somebody trying to spoof and trying to send emails on our behalf from a domain you know is that a valid sender has it come from a valid host . We can check all of those things before we let that message appear in your inbox .
If those standards are in your inbox , if those standards are in use , if those standards are in use and applied correctly . Yes , because that's another big part of it and they've been about for a little while actually .
Um , and to the point where a lot of governments actually around the world and kind of national security and cyber security agencies in governments turned around and said , hey , all our government , you have to be doing this . And some countries took that on board and some countries didn't , like Denmark , for example , did an awesome job .
I was just going to say Denmark did that yeah .
They did . I think it was like 2020 , maybe even slightly before that . They came out and said hey , government institutions , you need to actually start enforcing this because we want to take advantage of that and what it does it both .
Basically , you know , it prevents people from spoofing domains , it prevents emails looking like they've come from somewhere that they haven't , and so that's a cool thing . The problem was , uh , industry didn't really adopt that very much . Um , yeah , it didn't massively take off and I was . I was complicated or something . What is what's ?
what's up with that ?
Yeah , it's , it can be a lot of . There's a perception of risk around it , right , if you're a big business and you send emails , the last thing you want to do is break email , cause if you break email , that's a problem , right , your phone is going to ring . That's an impact to the business .
In fact , we did some analysis back in January that looked at the Forbes Global 2000, . Right , so , largest 2000 organizations around the world Only I think it was more than one quarter of the Global 2000, . They ultimately hadn't deployed DMARC to the right levels , and so that was disappointing .
And so what happened was Google and Yahoo at the same time , and also Apple , although they did it kind of quietly came out with an announcement that said if you're going to send emails to people on our platforms , if you're going to send lots of emails to people on our platforms , you need to be using DMARC , you need to be authenticating your emails properly .
They said a few other things as well around that , and that gave a huge amount of organizations a kick out the backside to say we need to , we need to deploy it , and so there was this big rush to try and get it done I think it was before april , before they that those platforms turned around and said we're going to start rejecting emails at that point .
And of course it'd be . If you think about it , if it's on google , if it's on yahoo , if it's on apple , it's consumer . So it's really business to consumer type companies that we're talking about here . But they had to do it and they did right , which is great . That was really really good .
Now the knock-on impact has been now these companies can stand up and say hey , we've done this authentication piece in our business to business conversations , we now want you to do that authentication piece , because when you send me those emails with those invoices for those pieces of wooden furniture for me as the retailer to send , I want to be sure that those
emails are coming from your systems and they're not coming from anybody else . And so what we're starting to see now is organizations in their kind of supply and procurement contracts actually saying you need to do email authentication .
And so we're at a point where email authentication , and demark specifically , has become not just a nice to have , it's become an essential part of of kind of doing business . And so that's the perceived problem . It's not a problem , but it is a perceived problem . Um .
It gives us that intelligence and ultimately it then feeds our overall picture as to what risk looks like for the business . Because now , in that same place of where you see all your people risk , you can actually see all the risk that's associated with your brand as well .
You know who's spoofing your brand out to the outside world , and it gives you that great visibility into that as well . So if you haven't done it , do it Definitely . Look at it . In some cases it's a zero cost thing .
In other cases , you can work with companies like Proofpoint and others to help you do it without the risk , and it will make a huge difference to your risk profile Not only just the messages that you're sending and the way your brand can be abused , but also how enforcing it on the inbound as well can make a big difference .
Who was that ? I forgot who said it . But like , don't be a digital asshole , fix your d mark yeah , and we talk in security about doing the basics right .
We always talk about that , like people say oh , you know do the basics . Just make sure you you're keeping your patches up to day , you know patching those vulnerabilities . Make sure you've got a firewall running , just to do all those basic things . I kind of feel like email authentication is one of those basics . Now , yeah , just don't be a doofus , do D-mark .
Architecture recommendations that you typically give your clients . What does that look like these days ?
I think the vast majority of clients that we talk to , most of them are probably using Office 365 , unless they've got some kind of reason that they can't , that maybe they're running their own mail servers on premise or whatever it happens to be for confidentiality jurisdiction , whatever that happens to be .
What we tend to talk about when we're talking about architecture is we talk that overall story of that pre-delivery , basically the journey of an email . Right , it's like what happens before it comes in , what happens once it's in , what happens when it's been sat on the inbox and someone's interacted with it .
So that pre-delivery , post-delivery , click time , and so for us , when we talk about email security as a platform , we do talk about those kind of three steps and making sure that you've got all those three steps covered in your security architecture , rather than just one of them , which seems to be the most popular , you know , with a lot of organizations , which is
that they just rely on post-delivery , which is for those reasons we talked about earlier that you know people interact too quickly with emails . It seems mad . So definitely you know that thinking about the journey , the life cycle of an email and making sure that you're covering all the basis is kind of key in that architecture flow , I guess .
All right . So we've talked about AI , threat intelligence . Combine those two . What's the future of email security ? Look like I would assume it's something to do with those two .
Yeah , I think you're right . We don't know how the tax is going to evolve , but we've kind of got a good feel for what those techniques look like . We also know that , actually , that probably the hardest attacks to stop are the ones that are just the words . If it's something malicious in there , it's easy . We say it's easy but you know we can find it .
So we need to work out how you know how attackers are getting creative and we need to stay ahead of that . But we also need to think about you know what happens after the fact . You know what happens after the fact , what happens after bang , and often it's around data loss . We talked about email security as a platform .
We talked about human-centric security ultimately being that platform . Data loss forms a big part of that and I think that's a lot of where the future is going Working out . Actually , does Matt regularly email Robbie ? And if I was , maybe do I regularly email you invoices ? Do I regularly email you attachments with lots of customer information in ?
Did I try and send you that email by mistake ? Because we have all done this thing where you've tried to send an email to Matt , you've typed Matt in and it ended up going to the different Matt , the wrong Matt . That happens all the time .
Or you put the wrong attachment on the email and you send the whole file instead of the subset of the data that you wanted to share , and so , where that falls now under the banner of email security , picking that up and say , actually did you mean to send that to matt , because normally you send it to the other map and like maybe ?
you should just change that . So they'll stop it at one . Yeah , exactly so . We stop it when you send it , because it's a problem for everyone . We've all done that misdirected email and in fact here in the UK we have the Information Commissioner's Office , right .
So if anyone has a data breach or anything like that , they have to report it to the Information Commissioner . That's the kind of setup here , and they put a report together every quarter . That says you know how do people lose data ? And every quarter at the top of the list is misdirected email . It's again . It goes back to being a human problem .
It goes back to being a human centric problem . It's like I mean , it's not a problem , it's just . It's just way the technology is built . It allows us to send things to the wrong place . It shouldn't do that . Also , what that has the added benefit of is hey , robbie , you're leaving the company right now .
You've just emailed the company's contact database out to your Gmail account being able to stop those types of exfills as well . Did you really mean to do that ? And that helps us kind of understand the overall picture and protect against the simplest and most common form of data loss , which is misdirected email .
Mr Cook , do you have any closing thoughts ?
I would just implore people to take a look , just to rethink email security . It isn't one piece of technology anymore , it is human-centric security and to actually almost use human-centric as the lens that they look through when they're examining their security operation .
Well , human-centric security Talk to Proofpoint Awesome and mnemonic , hopefully . Thank you so much , mr Cook . Cool . Thank you , sir , have a great summer and we'll talk soon . Awesome , thank you . Well , that's all for today , folks . Thank you for tuning in to the Mnemonic Security Podcast .
If you have any concepts or ideas that you'd like us to discuss on future episodes , please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicnet . Thank you for listening and we'll see you next time .