5 Ways For Housing Associations to Level Up M365 Email Security

Tony MasonCyber Security, Data Protection, Email Security, Microsoft 365 Security, Security Awareness & Phishing

The newly published Email Security Risk Report reveals that 99% of Cybersecurity leaders are stressed about email security.  Plus 93% of organisations experiencing security incidents in the last 12 months.  It is easy to see why.

For housing associations, the risk email poses to sensitive data is pervasive. They operate a complex infrastructure environment, and need to ensure employees are appropriately and effectively protected.  This includes whether they are working in the office, in the field, or at home.

Housing associations are a prime target for phishing attacks, with this risk continuing to grow year on year. Cybercriminals not only want access to housing associations’ systems and data. They also want to use compromised mailboxes to launch further phishing attacks that target the wider supply chain.

Additionally, high volumes of emails are sent and received by a central core of employees who need to communicate with tenants and suppliers who are spread out across the region. This significantly increases the surface area for human error and accidental data loss.

In this blog, we look at five ways housing associations can reduce their email security risks. This includes detecting and preventing inbound threats and outbound data loss in Microsoft 365, while improving employees’ security behaviour.

1. Treat inbound and outbound email security as two parts of a single problem

71% of Cybersecurity leaders consider inbound and outbound email security to be a single problem they need to solve.

Credential harvesting is one of the primary motivations behind phishing attacks. Analysis of platform data provided by our partner Egress reveals that for a housing association of approximately 1,200 employees:

  • 18% of phishing emails contained malicious hyperlinks as their payloads, a common tactic to harvest credentials
  • 29% of attacks targeting the organisation were sent from compromised legitimate email addresses, including supply chain accounts

Research also shows that 85% of account takeover attacks start with a phishing email. Consequently, there is a perpetual cycle where an inbound phishing attack leads to compromised accounts used in outbound attacks.

Additionally, treating email security holistically by preventing inbound and outbound threats once and together enables housing associations to provide a streamlined experience for both employees and administrators. End-users benefit from one consistent experience. Plus they receive ongoing education across a broad spectrum of threats (see below for more on real-time teachable moments). At the same time, administrators can benefit from analytics insights from across their environment. Gathering all threats within a single console in a way that enables them to prioritise and manage their responses.

2. Understand the risks in your environment

As the Email Security Risk Report shows, despite implementing native security controls in Microsoft 365 and secure email gateways (SEGs), threats continue to get through.

Cybercriminals are aware that the signature-based detection used in these technologies is effective in identifying known threats.  So they continue to innovate. This includes zero-day and emerging attacks, that are not identified for the signature-based detection to pick up on. As well as increasing the use of social engineering so there is not a payload to detect. Additionally, attacks sent from legitimate but compromised accounts can also bypass this detection.

Platform data from Egress reveals that for the housing association of ca 1,200 employees, 38% of the phishing attacks targeting their organisation in a 40-day period got through their existing Microsoft 365 defences.

On the outbound, static rules cannot scale to accommodate the flexible way housing associations need to use email to communicate. Therefore, they have limitations in their effectiveness to prevent security incidents caused by human error. (E.g. adding the wrong recipient or attaching the wrong file, or forgetting to use Bcc). As well as intentional data exfiltration. (Which can happen both maliciously and with the best of intentions. For example, sending data to a personal device to work on or print at home).

Platform data from Egress analysing the emails sent from a housing association of approximately 600 employees highlighted that 94% of incidents detected were caused by human error and data loss prevention (DLP) policy violations.  While only 2% of incidents involved malicious exfiltration (data taken over a 60-day period).

As a result of these risks, housing associations need to examine and invest in technology that can fill the gaps in email security.

3. Understand the intelligent email security can detect advanced threats

The email security market has innovated to fill these gaps. New integrated cloud email security (ICES) solutions have come to market that use AI technologies to detect advanced email security threats.

The solutions use techniques such as natural language processing (NLP) and natural language understanding (NLU) combined with other detection methodologies.  They identify and neutralise advanced phishing attacks. These include business email compromise and impersonation attacks, invoice and payment fraud, attacks that rely on social engineering, and those sent from compromised supply chain accounts.

For outbound detection, solutions combine machine learning with social graph technology to deeply understand how each individual employee uses email and to identify abnormal behaviour. As a result, these solutions are highly scalable and reduce end-user friction by only prompting when a genuine risk is detected. Such as an incorrect recipient being added to an email or the wrong document being attached.

4. Use real-time teachable moments to ‘nudge’ employees away from risk and change behaviour for the long term

Newer, intelligent solutions can provide real-time warning to end-users at the moment when they need it most – as a risk is detected.

Phishing emails can be neutralised by the software and delivered with warning banners into the inbox. The employee cannot interact with dangerous content but is provided with clear explanations of the risk that has been detected using real phishing attacks as examples.  

On the outbound, only prompting end-users when genuine risk is detected and with a clear explanation of why they have made a mistake (rather than a static prompt that is triggered for every email without changing its message) adds value to their day-to-day lives, without creating friction.

This approach for both inbound and outbound real-time teachable moments is proven to be more effective than static, unchanging warnings.  Plus it augments security awareness and training (SA&T) programmes through ongoing education.

5. Reduce the burden on administrators

As mentioned above, a holistic approach to inbound and outbound email security enables administrators to gain a single view of the risks in their environment.  They can therefore act more effectively. Additionally, when introducing technologies to your organisation, ensure they do not create layers of administrative complexity. This includes reducing the number of solutions that quarantine emails for administrators to review.  While also use self-learning technology to prevent data loss versus maintaining sprawling libraries for static rules.

Ready to level up your email security?

The S3 team would be delighted to meet with you to discuss your current email environment and technology stack, and the risks to your organisation. Get in touch today to book your no-strings-attached discussion: 01628 362 784, sales@s3-uk.com.