Email is one of the primary ways we communicate and is an almost universal technology, making it perfect for attackers to reach their victims. Outgoing emails can be even more hazardous than incoming ones.
Running and securing business in the cyber environment in these pandemic and economic crisis times can be hard. The rapid progression of cyber threats can be attributed to technical failures but even more to human errors. The complexity of cybersecurity risk and cost involved continue to increase.
According to the numerous reports, email continues to be the most popular attack vector from inside or outside the organisation’s boundaries. A recent report warned that nearly a third of respondents experienced data loss (31%), impact to employee productivity (31%), and business interruption or downtime (29%) due to a lack of preparedness to counter or mitigate the email-based cyber-attacks.
Phishing attacks account for more than 80% of security incidents and 94% of malware is delivered via email, adds another report. In 2020, threats are impacting organisations at every level and some 60% of the surveyed organisations believe it is inevitable or likely that they will suffer from an email-borne attack in the coming years.
Organisations wanting to guard against malicious emails typically focus on protecting against incoming emails, particularly concentrating on preventing incoming phishing attempts, impersonation attacks, ransomware, malicious attachments and untrusted URLs.
However, based on aggregate data of their customers, the Mimecast report claims that only 40% of emails originate through inbound system traffic. The other 60% of email traffic is introduced via internal-to-internal (40%) or outbound (20%) email communications. It seems that most companies are not aware of this fact and are not inspecting and securing up to 60% of their email traffic that is directed, for example, to customers and suppliers.
Detrimental outgoing emails
Imagine if one of the employees in your organisation gets an email asking that person to log in a seemingly legitimate website to resolve some issue with that email account. Unsuspiciously, the employee clicks on a bogus link and provides his or her login details.
Now the attackers have the employee’s login details and can freely read the email correspondence. It is not difficult to imagine that many other colleagues and outside connections will get emails containing malicious links, malicious attachments or other malware, including ransomware.
Who would then be blamed for the betrayed trust between colleagues, partners, and other third parties for exposing their sensitive data? Not just that particular employee but the whole organisation – which might have a long-lasting negative brand or even legal effect.
What if an unhappy or disgraced employ uses his company email to badmouth about his company to other employees, clients and the outside business and private connections? The destructive comments about his or her organisation will certainly not be well received by customers and business partners. They would most likely reconsider doing the business with that organisation.
Or what would happen if the financial manager mistakenly distributes bulk emails with the attachment that includes salary and bonus information for the entire organisation? It is not difficult to imagine the damage such a mistake can do to an organisation.
And all these damaging emails have come for within an organisation – they are all outgoing emails. Do many organisations understand and properly shield against such damaging events? According to various reports, they do not.
The cybersecurity blogs are flooded with the advice of how to protect against outgoing malicious emails. For example, Mimecast advises organisations to (1) increase visibility and control; (2) automatically or manually remediate threats; (3) quickly isolate the source of an attack and shut it down; (4) monitor email traffic for inappropriate or policy prohibited content; (5) protect against reputational damage; (6) implement data leak prevention policies across all internal and outbound communications: and more! We are adding a very important element of cybersecurity awareness to that Mimecast’s “and more”.
Security awareness for building “the human firewall”
It is generally accepted in the cybersecurity circles that everyone in an organisation, from the CEO down, is responsible to remain aware of current threats and cyber vectors – including email vector – used to attack an organisation. This can be achieved only by having consistent and regularly executed cybersecurity awareness programme.
However, the Mimecast report shows that only about 1 in 5 respondent organisations (21%) offer training monthly, which a timeframe that is considered by experts as the ‘gold standard’. According to the same report, 17% of the responding organisations offer cybersecurity awareness training only once per year. This rate neglects to foster a comprehensive security culture in the organisation.
The best practice advises three key criteria to cybersecurity awareness programme: (1) foster a security culture rife with empathy and encouragement, instead of obligatory (or boring!) training and testing; (2) use engaging, inclusive images and messages to encourage active participation; and (3) take a global view and make training culturally relevant to each region. And, most importantly, do it regularly throughout the year.
The SANS Institute recommends that the email-related awareness programme include the cybersecurity concerns related to (1) attachments that might be infected; (2) links that can trick end users to click on a link that sends the user to a phishing site, a drive-by attacking site, or has them download and open an infected file (such as .pdf ); (3) scams that mislead people with information or money by simply asking for it (the classic lottery attack); and (4) spear-phishing that target or single out influential people in an organisation.
A word on cybersecurity fatigue and habituation
As we have written in our previous posts, achieving individual objectives and finding the way of least resistance is the key driver for many employees when approaching working responsibilities. For example, cybersecurity warnings are used to inform the users on the risks of allowing potentially harmful applications to run on a particular computer. However, the practice shows that most of the users tend to ignore those warnings as they are appearing over and over again. This behaviour eventually leads to bad habituation.
Moreover, when under fatigue, we tend to make ‘escaping’ decisions. Declaring that nobody will attack us as we are too small and do not have anything of great value or that cybersecurity is somebody else’s responsibility. These are the examples of self-deception and the phenomenon is often referred to as “cybersecurity fatigue”. Dealing with email security when we are in the cyber fatigue state can be highly damaging.
Cultivating habituation and addressing cybersecurity fatigue ultimately means safer organisations and should be a decisive guideline for those designing cybersecurity awareness and training programmes. We at VM Advisory will be happy to help in that regard.