Threats to email security are on the rise. Research conducted for Cyber Security Hub’s Mid-Year Market Report 2022 found that 75 percent of cyber security practitioners think that email-based attacks such as phishing and social engineering are the ‘most dangerous’ cyber security threat to their organizations. Companies must protect this vulnerable asset without compromising its efficiency in communication.
Email security is integral to protecting companies from external threats but also essential to protecting a brand’s customers from outbound threats such as phishing, data breaches and business email compromise (BEC). Without sufficient email security strategies, companies open themselves, their clients, and their customers to the consequences of cyber security incidents.
Threats to email security not only encompass attacks from bad actors but the internal function of the company. Research from Stanford University found that 88 percent of all data breaches are due to an employee mistake, meaning companies must be hypervigilant when training their employees. This training should take place in an easily accessible format so that information is easily retained by employees and future mistakes are avoided.
This threat to the internal workings of a company can also led to further damage to its brand if not dealt with swiftly and effectively. Even long-time customers may lose faith in organizations if they feel they are unable to trust in their cyber security strategy, especially when their personal data is on the line.
In this article, Cyber Security Hub provides guidance on how to implement excellent email security and make sure your employees understand its importance.
The vulnerabilities caused by weak email security
Overlooking email as a security risk is a dangerous oversight for any organization. In 2020, professional services network Deloitte reported that 91 percent of all cyber-attacks began with a phishing email.
There are a number of threats poor email security present, ranging from social engineering attacks, phishing and account compromise to takeover and data theft. Phishing attacks can target users’ passwords and accounts that could contain sensitive and valuable customer information. Credential theft is also a risk as employees may reuse passwords for multiple different platforms across their business and personal life, weakening a business’s security if any of these accounts are compromised or exposed during a data breach.
Djon Ly, digital marketing manager at money service operator Statrys, says that there is no reliable way for businesses to manage passwords or ensure that employees regularly change their passwords. Social engineering and sophisticated hacking techniques can make it difficult for employees to correctly identify fraudulent emails, Ly notes, even if an organization has email protection or holds regular security training.
“Frequently, phishing emails will ask recipients to reset passwords or log in to a fraudulent account website in order to harvest credentials. Even if an organization has email protection and regular security training, it can be very difficult for users to determine whether or not an email is fraudulent,” she explains.
Muhammad Babamia, IT internal audit specialist for cyber security and data and analytics at South African investment holding company Transaction Capital, agrees, stating: “The greatest risk to email security are careless employees.
“People are the weakest link from a cyber security perspective,” he adds. “This is especially true in terms of email security. While email configuration and security layers aid in reducing email-related breaches, they remain in place in some form of reliance on diligence of humans.”
When it comes to email security, while the best software measure may be put in place, true email security also hinges on employees’ abilities to understand why and how the company may be attacked via email, and what to do in the case of a compromise.
“People are the weakest link from a cyber security perspective – this is especially true in terms of email security.”
Muhammad Babamia, IT internal audit specialist at Transaction Capital
The consequences of phishing campaigns can be devastating for businesses. In 2014, Sony Pictures’ employees, including system engineering and network administrators, were targeted with fake emails that looked like legitimate communications from Apple, asking them to verify their Apple ID credentials.
By clicking on the link provided, employees were taken to a legitimate-seeming webpage that required them to input their login details. As these emails were targeted at those who would most likely have access to Sony’s network, these details were then used to hack into its network.
The spear phishing campaign led to multiple gigabytes of data being stolen including business-related content, financial records, customer-facing projects, and digital copies of recently released films. The hack cost Sony an estimated US$15mn.
Kym Welsby, regional director for APAC at Clearswift, a HelpSystems company, notes that one of the main issues with ensuring email security is that email was designed with no security functionality from its outset.
“[Email having no security] was the secret of its success. This was fine when relatively fewer people were using it to contact people they knew only, but with its expansion people no longer know who is contacting them,” Welsby explains.
As employees within a business will be used to people from outside the company contacting them, as well as speaking to people they do not know in a business capacity, this can make them less wary of potentially dangerous or fraudulent emails. There are a number of threats when it comes to email security, from direct attacks on employees through phishing campaigns or social engineering to a lack of security functionality in email.
In the next section of this report, we will explore how to combat these threats.
“[Email having no security] was the secret of its success. This was fine when relatively fewer people were using it to contact people they knew only, but with its expansion people no longer know who is contacting them,”
Kym Welsby, Regional director for APAC at Clearswift, a HelpSystems company
Ensuring email security within your business
Email-based attacks like phishing and social engineering that directly target employees within a business can have devastating consequences for businesses, with three in four cyber security professionals surveyed for Cyber Security Hub’s Mid-Year Market Report 2022 stating these attacks are the ‘most dangerous’ threat to cyber security.
These attacks directly target employees inside a business, placing the responsibility for ensuring the attack does not progress in their hands. Additionally, these attacks often rely on psychologically manipulating employees. They can be very effective in convincing employees to act in ways they would not usually, even if they have had security training.
The effectiveness of phishing attacks may rely on how effectively employees can evaluate whether an email is safe. This can be an issue if employees do not pay attention to cyber security training. Clearswift’s Welsby explains that this complacency in this task may be due to a misconception from those within a business that their antivirus or antimalware software is sufficient to block any and all threats. As antivirus software can only stop and prevent known threats such as malware or ransomware, however, if a breach attempt involves a new, unknown file or URL, it may not be able to block an attack.
Ensuring good cyber security within businesses requires employees to be engaged with their training so they are better able to retain the information and use it at a later date when they do come across cyber security threats.
How to engage employees with email security
In a discussion between Cyber Security Hub’s Advisory Board, one member suggested that linking email security to a company’s universal goals was very beneficial. This involves conducting multiple phishing tests throughout the year, with the score of said tests affecting a businesses’ bottom line. This is because phishing attacks have an indirect influence on a company’s bottom line. Cyber-attacks cost a lot of money, meaning if a cyber-attack occurs, companies will lose money in operations costs. Additionally, cyber-attacks may lead customers to lose trust in a company and take their business elsewhere, leading to an overall drop in revenue. With bonuses directly linked to profit, financially motivated employees should be more diligent in not clicking on potentially dangerous links, as their good behavior is reinforced and rewarded.
Jorel Van Os, chief information security officer at insurance company Acrisure, suggests companies can better engage their employees by employing the use of short-form video content using real-life case studies as examples.
“[The videos are] a testimonial, with an actor reenacting real case studies,” Van Os remarks. “I think that’s a good, compelling way to [train employees].
“They are one to two minutes each, he explains. “We did a micro-survey on the videos in terms of length of content, effectiveness of content and delivery of content, and we got 4.8 out of five stars out on across hundreds or thousands of people that rated it.”
One such example is a testimonial from an actor posted on LinkedIn entitled ‘My LinkedIn post cost my company a fortune’. In the testimonial, the actor explains that someone posing as a recruiter enticed him into communicating with them first through comments on his LinkedIn posts, then via messages with a lucrative job offer.
The faux recruiter built a relationship with him, and finally sent him a PDF which, supposedly, contained the job offer. Instead, it contained only a cover letter and two blank pages. When the actor reached out to the supposed recruiter, they explained that it was a secure file, and prompted him to download and install a secure PDF reader. When this still did not work, the actor contacted the recruiter again, but the recruiter did not respond to any of his messages. He dismissed this, but weeks later there was a data breach at his company that cost the company millions of dollars. The breach was traced back to him, as the PDF reader had actually contained malware that was used to level an attack against the company.
The actor explains that job scam attacks are becoming more prevalent as people are expected to communicate with strangers, and download the attachments sent to them.
Van Os says that by doing this companies can help employees realize that they are involved with the email security of a business, as well as offering them a framework of what to do during a cyber security incident. It can also provide them with tips of what to look for in potentially malicious communications.
Companies can employ other tactics to keep employees engaged, says Transaction Capital’s Babamia.
“Traditional ‘death by PowerPoint’ presentation styles often lead to bored and inattentive learners,” Babamia remarks. “Organizations need to ensure that participants are engaged through various means of learning such as gamified learning and the use of incentives to promulgate better learning.
“Simulated phishing attacks are a great way to pick out unaware employees. With scare tactics in mind, employees should be more focused to ensure that the consequences of their actions do not lead to a severe breach of the organization’s information security,” he notes.
Ensuring email security beyond employees
In terms of ensuring email security beyond training, Clearswift’s Welsby notes that a layered solution is best, as there will need to be different controls to respond to different threats. He recommends combining content protection like structural sanitization – removal of active content within the email body and attachments and removal or rewriting URLs to go through a different web browser. Identity protection is particularly important, as social engineering and phishing attacks often rely on posing as someone with authority within the business. By looking for the good senders rather than preventing the bad, this allows software to identify and block bad actors post-delivery, preventing the spread.
Kemas Ohale, head of global information security operations at manufacturer of pneumatic control devices SMC Corporation, notes that using an email security solution that combines the power of threat detection artificial intelligence (AI) or machine learning (ML) with the power of the human to form a complete solution can be “highly effective” in keeping organizations safe.
“AI or ML cannot do it alone and neither can humans,” Ohale remarks. “Combining the two into a single solution and reducing the load on our security team through extensive automation is the optimal way to ensure inboxes are as secure as they can be.”
Email security can be ensured by engaging with employees and showing them how cyber security is inherently tied into their job. Beyond this, companies must engage defense strategies including email authentication protocols such as DMARC, structural sanitization and the use of AI or ML to help detect and neutralize threats to protect the email system. In the next section, this report will discuss the importance of email security in protecting your brand.
How email security can protect your brand
Email security is not just important for internal data safety, but for a company’s external brand. Bad email security can affect customers in multiple ways, from exposing their personal information to causing them to see a brand as less secure or trustworthy.
Clearswift’s Welsby notes that while most people think email security is about protecting their organization from threats, companies also need to protect their outbound emails and tell customers and clients to reject messages that are not from the company.
Welsby explains that while using DMARC authentication to detect and prevent email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks seems easy in principle, it can be complicated – especially for large organizations.
“We have had clients use applications to allow others to send emails on their behalf and had one organization that found it was using 200 more email applications than it realized it was using,” says Welsby. “As it was a big retail brand with many custom-built applications and service providers sending emails on its behalf, it took two years to establish the use cases [for email applications to send emails on their behalf].
“Brand protection makes it easier for brands to establish who they are and what services they use,” he adds.
Transaction Capital’s Babamia notes that as largerscale attacks may lead to high-sensitivity email disclosure, should attackers leak highly confidential information to the public, which can affect trust in a company. If this trust is broken, customers may leave the company and use a competitor instead, leading to a potential drop in revenue.
Customers can lose trust in brands when they believe they are not appropriately securing their data, leading to concerned customers to switch to different brands. By ensuring that both employees are fully engaged with and retain information from training, and that there is a robust email security solution in place, companies can put themselves in a better place to identify and mitigate cyber security incidents.
“Brand protection makes it easier for brands to establish who they are and what services they use.”
Muhammad Babamia, IT internal audit specialist at Transaction Capital
There are a number of threats to email security that employees must face. The most dangerous of these are social engineering and phishing attacks, as they directly target employees and can have potentially devastating consequences for their company.
Email security is fundamentally reliant on employees being vigilant against potential inbound attacks. In order to ensure all employees are in the best place to recognize and not engage with malicious emails, companies must take into consideration the way they are educating their employees in regard to cyber security. Using more engaging techniques like shorter videos, relating the content to themselves as employees or using a rewards-based system can help engage employees better, meaning they are in a better position to ensure email security.
Additionally, companies should ensure that they have robust security in place, including the use of structural sensitization and identity protection like DMARC. By using these methods, companies can ensure that phishing attacks are less successful, as URLs can be deemed as safe before they are clicked on, and malicious actors who attempt to pose as higher-ups in the company during social engineering or phishing attacks will be less likely to succeed.
By doing this, companies can protect their employees and the business itself from cyber criminals and in bound threats, while protecting clients and customers from outbound threats. By communicating these efforts with clients and customers, they can build trust in their cyber security, and prevent a loss of trust if a cyber security incident happens as if customers feel their data is not adequately protected, they may leave a business and take their custom elsewhere.
How do you maintain good email security to strengthen your business model? Please let us know in the comments section below.