Fortinet Acquires Next DLP Strengthens its Top-Tier Unified SASE Solution Read the release
Updated: Jun 24, 2024   |  

Reducing insider risk through email monitoring

Go back

When collaboration and messaging software such as Slack and Microsoft Teams took the world by storm years ago, they were touted to be “email killers”. Yet, here we are in 2020 and email remains a ubiquitous channel that businesses use to communicate externally with customers, vendors, partners, and other organizations. This, in turn, makes it a high risk channel for loss of sensitive data and non-compliance by insiders.

The insider risk posed by this channel remains significant enough that the CERT division of Carnegie Mellon University in the United States, a leader in Insider Threat studies and management programs, recommends the following risk mitigation measures in relation to email use:

  • Alerting administrators to emails with unusually large attachments.
  • Tracking or preventing emailing, printing, copying, or downloading of certain information, such as PII or documents containing certain words such as new-product codenames.
  • Preventing or detecting emails to competitors, to governments and organizations outside the United States, or to webmail like personal Gmail or Hotmail accounts.

With this in mind, version 9 of our solution takes a significant leap forward in bolstering our data protection capabilities with the inclusion of support for monitoring Windows users’ Microsoft Outlook email activity. Our newly released Agent (that runs on and monitors events on end-user systems) monitors and takes action on email activity, while new policies help define which activities should raise sensors and/or trigger an action. For example, policies can detect emails containing PII. Security operators are alerted to risky or non-compliant use of email by employees, with the option of real-time blocking of such activity if it is deemed to be high risk. This, combined with contextual information on user activity before and after the alert on email activity is seen, provides a powerful way of understanding what actually happened and the intent behind it. Did an employee copy confidential files from a network share, zip it, and send it to a competitor organization? Or was it a case of sending a file she was working on to her personal email to finish up work over the weekend? Does this employee often send work docs to their personal email? The context of user application, file, web and network activity cannot be gained by looking solely at email logs or dedicated email monitoring solutions.

So, what kind of email monitoring capabilities do we have and how can they help? We monitor inbound and outbound email activity and provide policies that can be configured to monitoring the following:

  • Email header fields:
    • To
    • From
    • Cc
    • Bcc
  • Email subject content
  • Email body content
  • Email attachment content and size

Email policies can use optional blocking, blacklisting, or whitelisting capabilities on email header fields. Additionally, content inspection within the body or attachments can be used to audit and manage how confidential information is emailed outside of the organization. For example, is confidential information being emailed to foreign government agencies or competitors? Are documents with confidential project names being emailed outside of the organization? Are employees being non-compliant with Acceptable Use Policies (AUP) around email and handling of sensitive information? Are emails being received from known spam or phishing domains? By using our solution to both alert security operators to indicators of risk and non-compliance and provide in situ awareness and training to employees as necessary, you can significantly reduce insider risk. This seamless flow of integrating detection technology with compliance enforcement and process improvement allows for the easy adaption of different measures according to the situation.

 

For instance, in the Verizon Wireless Insider Threat Report of 2019, a whopping 73.4% of data breaches were found to be caused by privilege abuse - i.e., using existing logical access in an unauthorized manner. Under this category, would fall an employee who emails sensitive company documents to her personal email before going on vacation with the intention to complete a project during her time off. Although not malicious, this increases the company’s risk exposure in a couple of different ways. This personal email account could be sitting on a server in a different location, breaching GDPR and other regulations. This email account could be accessed from a personal laptop and the sensitive files could be downloaded to that laptop. The laptop could then be lost, stolen, or hacked into, furthering the risk of data loss and associated financial and reputational damage.

In such a situation, providing users with in situ awareness and training will go a long way in reducing risk of exposure. By adapting email monitoring policies to detect emails sent to personal or webmail accounts and simultaneously warning users of the risks of privilege abuse at the time of the incident, users can be gradually trained to adhere to company policies in place. In the above example, the employee may not have necessarily remembered company guidelines around email. An employee may not think that anyone is watching, or she could have intentionally violated those guidelines, preferring to choose the flexibility of getting work done at home in spite of the security risk posed by such an action. A reminder of company Acceptable Use Policies at the time of non-compliance acts as a deterrent to further such activity and ensures corporate information remains within the bounds of acceptable risk built around corporate security measures.

In other cases, the intent could be malicious; an employee could send company IP to their personal email before leaving the organization, or a disgruntled employee could exfiltrate information to external third parties. Our policies look for predefined and custom configured sensitive content within attachments and the body of an email. Policies can alert administrators to threats even if users try to hide their actions under the radar by bcc’ing unauthorized recipients. In such situations, depending on the sensitivity of the content being sent and the recipients, implementing more stringent measures that prevent that email from being sent might be a better approach than just warning the user responsible.

With these enhanced capabilities, we further reduce the data loss risk surface by supporting organizations’ people and processes with great technology.

This post was originally published in May 2020 and has been updated for comprehensiveness.

Frequently asked questions

What is insider risk in the context of email?

For email security, an insider risk happens when someone misuses access to email systems to exfiltrate or leak sensitive information. Insider risks can be either malicious or accidental. 

Email is one of the most common attack surfaces, so it’s critical for organizations to manage both accidental and intentional insider risks through email. 

Why is email still a high-risk channel for data loss?

Despite the popularity of chat tools like Slack and Microsoft Teams, professionals still rely on email to do their work. Since email is an externally facing technology where employees communicate with customers, vendors, and partners, it presents a significant data loss and non-compliance risk. 

How can organizations mitigate email insider risks? 

Security settings through platforms like Next DLP can automatically enforce rules that prevent exfiltration and notify administrators about potential risks. Organizations can also: 

  • Set up alerts for emails with large attachments
  • Track or prevent the sending of sensitive information
  • Detect or block emails sent to competitors, foreign entities, or personal email accounts

How does a monitoring solution improve email security? 

Employee training is incredibly helpful in improving email security, but inattentive employees will miss clear security risks. Organizations can ensure safety and compliance at scale by setting up a monitoring solution in addition to training initiatives. 

Every monitoring solution is customizable, but some popular monitoring solutions include: 

  • Monitoring email activity on Microsoft Outlook
  • Defining policies for detecting risky behavior
  • Logging contextual information on user activities before and after email events
  • Alerting IT about non-compliant actions
  • Blocking high-risk activities in real-time
  • Creating in situ training, which provides real-time alerts and reminds users about company policies

What are some scenarios where more stringent measures than user warnings might be necessary?

Overly stringent email practices can hinder employee productivity, but they might be necessary in some situations. For example, if sensitive company IP or data is being sent to unauthorized recipients, particularly if malicious intent is suspected, it might be necessary to block the email entirely rather than just warn the user.

Demo

See how Next protects your employees and prevents data loss