Why Secure Email Gateways Fall Short

Secure email gateways (SEGs) have been around for more than a decade. They’re one of the most common types of email security solutions deployed on the perimeter to protect incoming and outgoing mail as well as filter out spam, phishing and other email-based malware from reaching email inboxes. However, studies show that millions of phishing emails can bypass these gateways, which begs the question of whether SEG protection is really relevant.

Where Secure Email Gateways Fall Short

Although SEGs have evolved their detection capabilities over time, there are still a number of reasons why this technology can fall short.

1. Phishing Attacks are Becoming More Sophisticated

Phishing emails are becoming more sophisticated and highly targeted. Such messages impersonate trusted individuals and organizations, leverage legitimate channels and do not contain any malware. Threat actors are even leveraging artificial intelligence (AI) including ChatGPT to create phishing emails. Since SEGs are unable to detect any obvious red flags, they end up allowing many phishing emails to reach inboxes, which can lead to security breaches. It is estimated that almost 19% of phishing emails currently go undetected by Microsoft Defender and double that when the phish is crafted to escape detection or when it impersonates a recognized brand.

2. Secure Email Gateways Cannot Detect Zero-Day Threats

SEGs rely on traditional filters such as known malicious signatures, global blacklists and IP reputation, which are good at detecting basic phishing emails. However, when it comes to complex social engineering, CEO fraud and business email compromise (BEC) attacks, zero-day malware and URLs, secure email gateways lack the context and telemetry to detect advanced threats.

3. Secure Email Gateways Cannot Examine Emails at a Granular Level

Traditional SEGs do not have the ability to examine emails at a granular level, especially malware and ransomware, which often comes disguised as attachments, macro programs and other malicious links that are embedded in the email. It is estimated that 14% of all email-related malware evade SEG defenses, a substantial number considering how seven out of 10 malware payloads are delivered via email.

4. Secure Email Gateways Have Inherent Flaws and Vulnerabilities

Many SEGs have known vulnerabilities that hackers can use to their advantage. For example, in November 2022, researchers discovered a flaw in the Cisco Secure Email Gateway that allowed attackers to bypass email filters and deliver malware payloads to their victims. Furthermore, attacker tactics, techniques and procedures (TTPs) are constantly evolving and therefore these gateways need to be constantly configured and fine-tuned to prevent advanced threats and follow-up attacks. Studies show that maintaining SEGs is not easy and they can be prone to too many false positives which can be a major burden on IT teams.

5. Email Phishing is Just One Part of Social Engineering

Today’s phishing attacks aren’t just limited to email. While secure email gateways offer some protection against email phishing, they do not offer protection against social media phishing, SMS phishing, voice-based phishing (vishing), Whatsapp phishing and so on. Even if businesses are somehow able to magically ward off email-based threats, they will still continue to face the growing social engineering problem on other channels.

How Organizations Can Overcome SEG Limitations

Organizations need a multi-layered defense approach to overcome the shortcomings of SEG including:

1. Building a human perimeter: Natural human frailties (stress, impulsiveness, distraction, impatience) are the root cause of successful phishing scams. This is why organizations should focus on a combination of security best practices and knowledge (do’s and don’ts), phishing simulations and real-time coaching to boost the security culture and build muscle memory to identify and report these cyberattacks.

2. Empowering employees with tools: It’s difficult for security teams to stop a phish until it is reported. Providing employees with simple but intuitive tools like a “report phishing” button on the email toolbar so that employees can proactively report phishing and help organizations to catch phishing emails early before they spread.

3. Augmenting SEG with advanced email security: Gartner believes that by 2023, at least 40% of organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway. Even if you don’t rip out and replace your SEG, it might be a good idea to supplement or add on cloud-based email security that uses AI, machine learning and natural language processing to detect phrases such as requests for credentials, wire transfers, confidential information, gift cards, etc., as well as provide real-time analysis into email activity and insights so that questionable emails can be quarantined or analyzed immediately.

To summarize, legacy SEGs are no match for today’s cyberthreats. What organizations truly need is a defense-in-depth approach that can help detect and analyze emails at a granular level as well as employees that are regularly trained to practice a healthy sense of skepticism. Both of these together can go a long way in detecting advanced phishing attacks.

Avatar photo

Stu Sjouwerman

Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 30,000 customers and more than 20 million users. He was co-founder of Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Stu is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

stu-sjouwerman has 8 posts and counting.See all posts by stu-sjouwerman

Secure Coding Practices