An HR manager receives an email seemingly from an employee who has opened a new bank account. Could she please update the employee’s direct deposit details before the next payday? With a second look, the HR manager realizes the email is a fraud—the sender email doesn’t match the employee’s address. A bad situation averted.
Business email compromise (BEC) and phishing attacks are all too common. The Blackpoint Active-SOC saw over 42,000 BEC attacks in 2023, representing a 210% surge from 2022. And the FBI’s Internet Crime Complaint Center reports that businesses lost a staggering $2.9 billion to BEC scams in 2023.
You might think in 2024, the number one attack vector would be a more advanced one. But Zachary Sherf, Director of CyberSecurity at Lyra Technology Group, says email’s vulnerability lies in users’ comfort with the platform.
“The ultimate threat vector is the human layer. And email has existed so long that it’s built up a level of trust and familiarity that doesn’t exist in other parts of the business,” Sherf says.
That’s why BEC should be a primary consideration when curating the security stack to best protect your clients. But there are prevalent misconceptions surrounding email security, so let’s debunk some of them.
1. Every employee needs an email account.
An employee joins a company, and it’s taken for granted that they’ll get an email address along with some company swag. But Mike Estep, chief client officer at Blackpoint and former MSP business owner, says managed service providers (MSPs) should help clients think outside the box and consider if email is needed for every role.
“In my former MSP life, we served a large primary care physician, and we had a whole conversation around does everybody in the business need email—they had this great electronic medical record (EMR) platform that allowed people to communicate,” he says.
With Teams, Slack, and other channels available, email may only be needed for external-facing roles. Reassessing email usage is one way businesses can minimize their attack surface.
2. We need a different shiny tool for each email security function.
While having best-of-breed security tools is important, there are downsides to fixating on the newest shiny tool to come along. This can result in too many point solutions and vendors to manage, as well as a bloated stack that’s difficult to maintain and sell. What’s more, each additional vendor introduces a new attack surface that increases risk.
That’s why vendor consolidation and integration should be a priority, especially as your MSP business matures and scales. New solutions should be considered in the context of the whole stack, balancing the need for additional security layers while considering the needs of the client and the net benefit they provide. An example is with email filtering—some MSPs may opt to use a third-party email gateway, while others may decide to use Microsoft’s capabilities in conjunction with an API-driven filter, to maximize uptime.
“As technologists, we want shiny,” says Sherf. “We want to say hey, you’re gonna get this best-in-class email security thing. But if you can’t articulate the value or if the email filtering platform isn’t properly configured, there’s more opportunity in using some of the built-in things (in Microsoft 365).”
3. Employees nowadays know how to use email securely.
People join your company with varying levels of experience and knowledge, so never assume that all your employees already understand security practices that seem basic, like not clicking links from unknown senders. Estep advises business owners to continually educate and remind employees about email security best practices to stop phishing and BEC threats.
“MSPs should also help their clients do the same,” Sherf says. He has had clients ask him to join company all-hands meetings to share IT and security guidance and tips. “Not only does it help clients create a culture of security, it’s good for business,” he says.
“One of your biggest opportunities as an MSP to increase stickiness is to be a part of the existing company culture, and all-hands meetings are a great way to do that,” Sherf says.
4. Email security awareness training is about not clicking bad links.
Conventional wisdom says try your best to make sure users never click malicious links. But Sherf says if that’s the only message you convey to users, they can be deterred from reporting when they make a mistake—which you need to know about, so your team can get minimize any potential fallout.
To avoid stigma that would stop someone from reporting, MSPs should encourage self-reporting of phishing incidents by using positive reinforcement.
“Show them the value of reporting…’Hey, somebody reported a phishing link. If they hadn’t reported it, here’s what could have happened,’” Sherf says. “I’d rather reward them for clicking on it. I’d rather have a hundred users who click on a compromised link and report it, than ten users who click on that link and don’t report it at all.”
5. If we’re running Microsoft or Google cloud email, we’re good.
While cloud providers offer robust security features, MSPs may unwittingly expose their clients to risks by running outdated SKUs like Office 365 that lack the robust security features of Microsoft 365 Business Premium, Estep says.
Even with these more robust offerings, relying on their out-of-the-box configurations leaves holes. Configuring email filters and features like Safe Links, external email tagging, and DKIM and DMARC—and then updating those configurations on a regular basis—is imperative. Leveraging a third pair of eyes to monitor and defend cloud environments is also an important way to protect against email threats.
In addition, it’s critical for MSPs to thoroughly audit and lock down security baselines when taking over new client tenants. Don’t assume previous providers or internal IT teams had everything set up properly—treat it as a fresh tenant implementation.
As Sherf points out, this also represents billing potential: “There’s a revenue opportunity to go in and audit those things to make sure that you’re implementing a secure baseline.”
6. There’s no need to advise our clients, as they already know their security gaps.
As your clients’ IT provider, you’re the expert—and they want and need your advice. Just like you when you see your medical provider, Sherf says.
“If you eat Five Guys every day for lunch, a double cheeseburger with bacon every day…and then you go to the cardiologist and they tell you don’t do anything, you’re totally fine, everything’s healthy, without even barely looking at you, you’re going to raise an eyebrow,” he says. “You’re gonna be like, ‘I’ve eaten Five Guys every day for a year. There’s no way there’s not something I should be doing.’”
In the same way, Sherf says, clients often already have an inkling when they’re doing things insecurely—like sharing passwords over email—and they’re expecting to hear your feedback and expertise. Adopting this consultative approach also drives greater value for your clients versus them being left to figure things out for themselves.
7. If we have the right technologies and training, our email defenses are covered.
While security awareness training and robust email security tools like email filtering, multifactor authentication, and cloud protection are important components, there’s a last step that is frequently overlooked. Estep says companies should consider implementing a formal policy around financial transactions when wire transfers are requested over email.
Policies such as no wire transfers based on an email request, requiring multiple people to sign off on a wire transfer, or working with your financial institution to require bank manager approval for a bank transfer are final security layers that create a last line of defense, even if an initial attack slips through email filters.
Ditch the Myths, Fortify your Clients
As MSPs navigate the evolving threat landscape, it’s time to kick these myths and misconceptions to the curb. Instead, adopt a mindset of tailoring your email security approach to your clients’ unique needs and risk profiles. By adopting a consultative approach, integrating best-of-breed solutions, and prioritizing continuous education, you can strengthen your clients against business email compromise and phishing.
To hear more insights from Zachary Sherf and Mike Estep, tune in to our on-demand webinar, The Ideal Security Stack for Beating Business Email Compromise.