2019 has been touted as the “worst year on record” for data breaches, with the number of breaches already up by 54%, according to a new report by Cyber Risk Analytics.
Compromised email accounts account for 70% of stolen data, with passwords accounting for 64%. The majority of attacks targeted the business sector, and were initiated by malicious outsiders, who typically seek to exploit vulnerabilities in misconfigured databases and services.
So, what is it about business email accounts that make them irresistible to hackers?
Why Are Business Emails So Valuable?
Business email accounts contain a wealth of valuable data and can be used as a bridge to gain access to even more valuable data.
While your personal email account might be connected to many other services such as online banking, a hacker can’t simply access your online banking service by clicking on the “Forgot Password?” link. After all, online banking applications typically utilize advanced authentication protocols to keep them secure. A business account, on the other hand, may have access to valuable information that is not subject to the same levels of protection.
A hacker only needs to gain access to one email account to cause a lot of disruption to the business. Employees have a tendency to share lots of sensitive data via email, naively assuming that their credentials are secure, and that their colleagues are who they say they are. However, hackers often try to masquerade as a trusted employee in order to gain additional information, such as credentials to privileged accounts.
In some cases, the hackers won’t even attempt to use the accounts themselves, but instead sell the credentials on the black market.
What Can Businesses Do to Protect Their Email Accounts?
As always, prevention is better than a cure. Given that “misconfigured databases and services” were the main target for hackers, businesses will need to ensure that they have a patch management policy in place. They will need to ensure that they are not using any default passwords, and that they are adhering to the “principal of least privilege”, when it comes to assigning access rights. On top of this, administrators will need to analyze current permissions to mailboxes to ensure that they are notified when they change, why, and by who. It is also worth checking for vulnerabilities in any custom code, applications, workstations, routers, switches and firewalls.
In addition to ensuring that all systems are correctly configured, businesses will need a strong password policy in place, and ideally use multi-factor authentication where possible. Assuming the attacker was able to gain access to a legitimate set of credentials, it is important that employees are well trained when it comes to identifying suspicious behavior and are aware of the implications of sending sensitive data to the wrong recipient.
If an employee really needs to send sensitive data in an email, the data should be encrypted in transit.
While spam filters, anti-virus solutions and firewalls can protect you from unsolicited emails and detect some strains of malware, they can’t detect an email from a legitimate account that was compromised. In this case, it would be more effective to monitor access to privileged mailbox accounts and receive real-time alerts on any activity that doesn’t conform to typical usage patterns.
Finally, it strongly advised that all businesses have an incident response plan (IRP) in place. In fact, to comply with regulations such as the GDPR, an IRP is not optional.
If you’re looking for an easier way to monitor Exchange Server changes like configurations changes, permission changes and non-owner mailbox access etc., download free trial of LepideAuditor for Exchange Server today.