The cost of inadequate email security can be enormous both in terms of financial damage and reputation. Intelligent CIO asked Jeff Ogden, General Manager – Middle East, Mimecast, how CIOs can protect their organisations from email threats.
How much of a risk do email based attacks pose to enterprises?
More than 90% of hacking attacks today begin with some kind of email phishing attack or spear-phishing threat, and yet email security is still not being made a priority by organisations. In new research by Mimecast and Vanson Bourne, 39% of UAE organisations say it is likely that they will suffer a negative business impact from an email-borne attack in 2019. If email security isn’t made a priority, organisations run the risk of losing data, money, customers and reputation.
The cost of email security threats on an organisation can be enormous. Aside from the fines and legal actions that result when sensitive customer information or financial data is breached, email security threats can cost millions of dollars in reduced customer confidence, damage to reputation and, ultimately, loss of business. In fact, Vanson Bourne’s research indicated that 77% of all surveyed UAE organisations had suffered some kind of loss because of an email-based impersonation attack in the last 12 months.
Why is cyber-awareness so important for businesses?
The human is the weakest link and until the employee can identify simple threats like phishing and more advanced ones like impersonation fraud and spear phishing, an organisation remains vulnerable. Despite the most advanced protections that can be put in place and despite the best threat intelligence available, organisations remain vulnerable because of their employees’ basic lack of security awareness.
However, it is possible to raise awareness, to create an engaged and responsible work force and security culture, to bolster your defence by creating a ‘human firewall’. According to a report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020.
According to research Mimecast conducted with Vanson Bourne, 95% of UAE organisations have seen phishing attacks in the last 12 months, yet only 32% responded that they train employees on an ongoing basis on how to spot cyberattacks.
The vast majority of cybersecurity incidents are a result of simple mistakes made by employees who have the best of intentions, and these casual mistakes can cost organisations money, their reputation – and employees, potentially their job. As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behaviour. Your employees are your last line of defence.
What is the best way for businesses to be protected from email-based attacks?
Cyberattacks are evolving so quickly and have become so sophisticated that no matter how advanced your security system is, there’s no guarantee that a new attack method won’t make its way into your organisation. The entire IT infrastructure needs to be protected with effective and layered security solutions. And with email being the number-one vector used to execute cyberattacks like malware delivery, phishing, Business Email Compromise, and for spreading threats that are already internal to an organisation, protecting this vital business application is non-negotiable.
A defence only approach is no longer sufficient, and organisations need to adopt cyber-resilience. This includes having:
- An understanding of emerging threats and how companies are remediating
- The right security services in place before an attack happens – focused on prevention as well as those focused on adapting after an attack happens.
- A well trained, cyber aware workforce
- A durability plan to keep email – and business operations dependent on email – running during an attack or failure.
- The ability to recover data and other corporate IP after an incident or attack occurs.
How does cybersecurity awareness training create a strong cybersecurity culture?
One of the key elements of cyber-resilience is having a well-trained, cyber aware workforce. The ability to adapt to continually evolving and escalating cyberthreats is critical, but cybersecurity needs to be a shared responsibility across the organisation.
Human error is involved in over 90% of today’s cybersecurity breaches. Sometimes it’s carelessness, sometimes it’s maliciousness and sometimes it’s things going wrong with the best intentions. No matter what, users need robust, comprehensive awareness training around cybersecurity.
By having a strong awareness training programme, you extend your team and prevent incidents from happening when technology and processes fail. Employees are also always coming and going and the only way to keep cybersecurity awareness alive is to provide continuous training, so cybersecurity is top of mind. Without that regular training, your culture will suffer, and people will then assume everything is fine with no reinforcement of vigilance.
What is the best method to educate employees about cybersecurity?
Persistent, short bursts of training that are tightly focused on a big idea in corporate cybersecurity is the best approach. Security training typically fails because it doesn’t reflect how people work and learn today. It’s delivered too infrequently, it’s long, dry, and boring and employees often feel targeted, rather than supported. When training is unengaging and unenjoyable, people don’t learn. If they are not armed with the knowledge of what to look out for and what to do when the situation arises, they will make mistakes.
Organisations should consider a solution like Mimecast Awareness Training. The programme uses a continuous, virtuous cycle that changes behaviour and lowers risk. The foundation of the platform is engagement through humour, which is the key to improving awareness and knowledge.
Only by getting employees to understand both what’s at stake and what to do about it can you change their attitudes and drive a lasting, positive shift in security culture. The awareness training should be easy, short and supported by the leadership team. This should come with regular KPIs on participation rates and effectiveness with testing of click-through rates.
Are the employees of enterprises complacent when it comes to email security?
Mimecast recently surveyed more than 1,000 people who use company-issued devices (i.e. mobile phones, desktop computers or laptops) in the workplace. This allowed us to get a better sense of their behaviour. Feedback from the survey would suggest that, yes, they are complacent.
The report found that nearly one-in-four employees aren’t aware of the most common threats plaguing today’s organisations – such as phishing attacks, impersonation attempts and ransomware. Additionally, 15% of respondents said they could either be more cautious or admit they completely trust that the emails being sent to their devices are safe from any type of threats.
In an age where one wrong click from a single employee can compromise a company’s entire infrastructure, these are rather alarming numbers. Furthermore, nearly 60% of employees either aren’t aware of their companies having a formal policy on their personal web use at work, or there isn’t one in place at all.
From these findings, it’s clear that respondents don’t take security seriously and they see it as a problem that is the concern of their IT department only. It’s likely that this is because of lack of training and awareness within the organisation. There needs to be a mindset change and the only way to address this issue is to conduct regular training that is entertaining and informative.
The problem is that most awareness training programmes don’t work. Employees need compelling reasons to care about security and become more resilient against preventable threats. Creative cyber education breaks through the passive resistance most employees have when it comes to training.
What are the most significant cybersecurity threats enterprises should be aware of in the next 12 months?
In 2019, attackers are likely to shift their attention away from large enterprises that can afford and are starting to implement comprehensive cybersecurity, to smaller businesses and industries with historically lean IT.
The small business sector is attractive for their IP, cash flow and relatively limited security maturity, making it easier to breach their defences. In a similar vein, larger companies in lean IT verticals like manufacturing and construction may have the scale but are not as likely to have a comprehensive cybersecurity apparatus in place.
Criminals also realise that targeting a large, well-protected organisation doesn’t only mean that their efforts are likely to be wasted because security is more advanced, but if a threat is stopped, the security team could very well publicise the threat, making the criminals’ tool sets worthless. That’s not to say that enterprises are off the hook. Organisations with advanced IT infrastructure are increasingly becoming targets for state actors.
At the tactical level, existing attack methods, such as phishing, will be made even more effective thanks to improved social engineering and better data correlation. Flawless phishes are likely to give business owners sleepless nights, intensifying the need for awareness training to fix gaps in the human firewall.
How important is the sharing of threat intelligence?
Making use of threat intelligence and collaborating with other players in the security space will ensure the industry is constantly identifying new risks, learning from them and applying the relevant defences to protect organisations in the future.
Encouragingly, the new study by Mimecast and Vanson Borne found that 69% of UAE respondents felt that threat intelligence was extremely important for their organisation.
Unfortunately, 26% of organisations said that their email security system can’t currently provide threat intelligence data to their security teams. Considering the risks we have outlined regarding email security, it’s concerning that a quarter of organisations currently have a gap here.