Traditional cybersecurity measures aren’t effective anymore.
Hackers are always working on new ways to infiltrate a network. As they continue to get more and more sophisticated, even the White House can’t always detect them. IT security teams need to consider new frameworks to protect their networks.
The healthcare industry is a notorious target for cyberattacks, and traditional cybersecurity measures simply aren’t effective anymore. Zero Trust Security for email may well be the answer.
Zero Trust is a security framework that assumes that every person or device requesting access to a network is a potential threat. It is an emergent security strategy requiring a user validate their identity multiple times before gaining access, and even then, the user doesn’t get full access to the network.
According to TechBeacon, COVID-19 is accelerating the adoption of the model since users are more likely to access sensitive information remotely.
No single technology is associated with Zero Trust. Instead, it’s a comprehensive framework that incorporates several different principles and technologies.
Here are the guiding principles behind Zero Trust Security:
According to Coveware’s most recent Q4 2020 report, email phishing overtook remote desk protocol (RDP) compromises as the dominant attack vector last year. Deloitte’s research also finds that 91% of all cyberattacks begin with a phishing email. Even the recent massive Colonial Pipeline ransomware attack was most likely caused by an employee falling for a phishing email.
These days, bad actors are using American tech companies to send malicious emails, such as Amazon SES, Sendinblue, and Mailgun. This puts malware out of reach of the early warning system run by the National Security Agency (NSA) because it is prohibited by law from conducting surveillance inside the United States.
In other words, we can no longer trust email sent from American hosting and infrastructure companies.
Nation state threat actors are sending sophisticated email phishing campaigns that pass the following security checks:
Malicious emails pass these checks because the bad actors registered new email domains, sat on them for years so they did not raise any red flags, took the time to configure and maintain their accounts correctly, and then hid behind American companies inaccessible to the NSA.
Therefore, in order to keep up in the cybersecurity arms race, what’s needed is a Zero Trust Security framework for email.
As part of a Zero Trust framework for email, MFA can be reimagined as an authentication method not for a user, but for a machine.
Let’s say a mail server is attempting to send you an email. During the SMTP conversation between mail servers, the sender claims it is a part of Amazon’s SES platform, and your MX record host verifies that this is true because it passes the security checks outlined above.
However, with a Zero Trust for email paradigm, those checks aren’t good enough. One more piece of evidence is required to authenticate that the email is truly legitimate and not a phishing attack cloaked under the guise of Amazon’s email platform.
I believe this new piece of evidence should be unique to each customer and be updated based on usage over time. In other words, it must be very difficult for bad actors to impersonate.
This new approach will yield a unique form of MFA, an additional piece of evidence required to authenticate an email. It would be especially useful for healthcare providers that not only need extra security to send HIPAA compliant email, but also must block incoming cyberattacks.