Despite numerous attempts to dethrone email over the past few years, it continues to be the defacto for business communications.
It’s fast, convenient, simple to use, cost effective and auditable. Email certainly isn’t going anywhere in a hurry.
There’s just one problem: email was built for a different time, one in which cyber threats were few and far between. It should come as no surprise that email is the number one threat vector facing organisations today.
Business email compromise (BEC) scams caused the highest losses across all scam types in 2019, costing Australian businesses $132 million, according to the ACCC’s latest Targeting Scams report.
Eighty-five percent of BEC attacks are urgent requests designed to get a fast response, according to Barracuda researchers, with 1-in-10 spear phishing emails successfully tricking users into clicking.
That number triples for emails that impersonate someone from HR or IT.
Along with ransomware, banking trojans, phishing, social engineering, information stealing malware, spam — the list of email borne threats seems to grow every year.
These are compounded by the risk of accidental disclosure of sensitive information via email. One of the most common types of distinct incidents is emails sent to the wrong person.
This gets to the heart of the challenge for IT security teams. Email is the number one threat vector precisely because it allows malicious third parties to directly target what has long been regarded as the organisation’s weakest link: its employees.
It’s hardly surprising though. We’re curious and helpful by nature, which is why social engineering attacks are popular and profitable for cybercriminals.
One wrong click could be enough to let the bad guys in to install ransomware on the corporate network, or to rifle through customer databases.
Employee behaviour is hugely important in the fight against email threats. Most cybersecurity investments in recent years, however, have been directed at securing networks and computers.
As a result, vendors are much better at patching and preventing vulnerabilities, and IT systems are more secure.
While this of course is a great thing, the problem lies in where the bad guys focus their attention next – exploiting human weaknesses. Unfortunately, the tools IT security teams put in place to prevent things from getting in don’t always work.
The focus of security programs needs to shift to make employees more aware about the different types of attacks they could fall victim to.
Thanks to Australia’s data protection and cybersecurity regulations, it’s more important than ever to tackle the cyber threats posed by email. You need to better understand where your organisation is most exposed and what you can do to minimise damage.
By focusing on the human firewall – how they are trained, changing behaviour and the benefits of that – organisations ultimately gain a better security posture.
Now they have the tools developed to allow these human firewalls to detect suspicious activity and start spooning the information back to help IT security teams be proactive in finding threats, as well as be able to remediate.
With the help of innovative technologies such as AI-powered tools, organisations can get better at spotting spoofed and malicious emails.
Combined with a renewed focus on more progressive approaches to staff training, you can begin to fight back.
Who’s most likely to fall victim?
It’s hardly surprising that finance employees have traditionally been the most vulnerable, considering their access to the crown jewels – bank account information, wire transfer numbers and other valuable business information.
However, with finance generally more trained and aware of threats, attackers have moved on to marketing, operations, engineering, sales, IT and other departments to make their impact.
They’re now also focusing more on mid to lower level employees, rather than senior executives, as they typically don’t have the same training and awareness.
Email attacks are a numbers game; the more attempts made, the more likely someone will fall for one – and there are a lot more individual contributors available to attack than executives.
However, the payoff could be larger when executives fall for a social engineering attack, due to the availability and quantity of sensitive information they have access to, which explains the increasing popularity of spear phishing and whaling.
Cybercriminals tend to prefer direct monetisation attacks over traditional theft sales. Unlike information theft, which requires a buyer, these newer attacks don’t.
They cut out the middleman, meaning less work and a faster, better ROI for the criminals.
Improve security awareness
Email security isn’t just the responsibility of IT – it’s the responsibility of every employee in your organisation. But it’s important to identify human risk factors in a non-threatening manner.
Do your employees truly understand that information security policy they signed? Did a recent information security announcement have any impact on their perceptions of risk?
Is your security awareness program addressing the real needs of employees, from their perspectives?
IT pros are well aware of the risks presented by user error. The best defence against email threats is to make users aware of the threats and techniques used by cybercriminals.
The best approach is to implement a simulation and training program to improve security awareness for your users.
Training isn’t just nice to have, it’s a top priority because targeted attacks have become so nefarious and effective. Train your employees to recognise malicious emails from multiple sources and test them the way an attacker would.
Show them the latest attack techniques, how to recognise the subtle clues and help stop email fraud, data loss and brand damage.
Embed learning into your everyday business processes with customised simulations that test and reinforce good behaviour.
There are better ways to train employees than traditional classroom-style education, however.
Focus on activities that are relevant to an employee’s department and role, unscheduled simulations of typical attacks, training modules that can be done at the employee’s convenience and rewards for taking the right actions.
By customising training, you can make it far more engaging and relevant to your users.
Mark Lukie is a sales engineer manager for APAC at Barracuda Networks. He has over 18 years’ experience in networking, security, backup/disaster recovery, public cloud platforms, as well as systems integration. For more information, visit here.