What is email security?
Threats to email security are on the rise. Research conducted for Cyber Security Hub’s Mid-Year Market Report 2022 found that 75 percent of cyber security practitioners think that email-based attacks such as phishing and social engineering are the ‘most dangerous’ cyber security threat to their organizations. Companies must protect this vulnerable asset without compromising its efficiency in communication.
Email security is integral to protecting companies from external threats but also essential to protecting a brand’s customers from outbound threats. Without sufficient email security strategies, companies open themselves, their clients, and their customers to the consequences of cyber security incidents such as phishing, data breaches and business email compromise (BEC).
Threats to email security also includes cyber security issues found within companies, like emploees having a lack of cyber security knowledge. Research from Stanford University found that 88 percent of all data breaches are due to an employee mistake, meaning companies must be hypervigilant when training their employees. This training should take place in an easily accessible format so that information is easily retained by employees and future mistakes are avoided.
This threat to the internal workings of a company can also led to further damage to its brand if not dealt with swiftly and effectively. Even long-time customers may lose faith in organizations if they feel they are unable to trust in their cyber security strategy, especially when their personal data is on the line.
In this article, Cyber Security Hub provides guidance on how to implement excellent email security and make sure your employees understand its importance.
Also read: Report on cyber security challenges, focuses & spends
The vulnerabilities caused by weak email security
Overlooking email as a security risk is a dangerous oversight for any organization. In 2020, professional services network Deloitte reported that 91 percent of all cyber-attacks began with a phishing email.
There are a number of threats poor email security present, ranging from social engineering attacks, phishing and account compromise to takeover and data theft. Phishing attacks can target users’ passwords and accounts that could contain sensitive and valuable customer information. Credential theft is also a risk as employees may reuse passwords for multiple different platforms across their business and personal life, weakening a business’s security if any of these accounts are compromised or exposed during a data breach.
When it comes to email security, while the best software measure may be put in place, true email security also hinges on employees’ abilities to understand why and how the company may be attacked via email, and what to do in the case of a compromise.
The consequences of phishing campaigns can be devastating for businesses. In 2014, Sony Pictures’ employees, including system engineering and network administrators, were targeted with fake emails that looked like legitimate communications from Apple, asking them to verify their Apple ID credentials. By clicking on the link provided, employees were taken to a legitimate-seeming webpage that required them to input their login details. As these emails were targeted at those who would most likely have access to Sony’s network, these details were then used to hack into its network. The spear phishing campaign led to multiple gigabytes of data being stolen including business-related content, financial records, customer-facing projects, and digital copies of recently released films. The hack cost Sony an estimated US$15mn.
Also read: How to strengthen email security & protection against advanced ransomware attacks
As employees within a business will be used to people from outside the company contacting them, as well as speaking to people they do not know in a business capacity, this can make them less wary of potentially dangerous or fraudulent emails.
Ensuring email security within your business
Email-based attacks like phishing and social engineering that directly target employees within a business can have devastating consequences for businesses, with three in four cyber security professionals surveyed for Cyber Security Hub’s Mid-Year Market Report 2022 stating these attacks are the ‘most dangerous’ threat to cyber security.
These cyber attacks directly target employees inside a business, placing the responsibility for ensuring the attack does not progress in their hands. Additionally, these attacks often rely on psychologically manipulating employees. They can be very effective in convincing employees to act in ways they would not usually, even if they have had security training. stating these attacks are the ‘most dangerous’ threat to cyber security.
The effectiveness of phishing attacks may rely on how effectively employees can evaluate whether an email is safe. This can be an issue if employees do not pay attention to cyber security training. Complacency in this task may be due to a misconception that email antivirus or antimalware software is sufficient to block any and all threats. As antivirus software can only stop and prevent known threats, if a breach attempt involves a new, unknown file or URL, it may not be able to block an attack.
Ensuring good cyber security within businesses requires employees to be engaged with their training so they are better able to retain the information and use it at a later date when they do come across cyber security threats.
How to engage employees with email security
In a discussion between Cyber Security Hub’s Advisory Board, one member suggested that linking email security to a company’s universal goals was very beneficial. This involves conducting multiple phishing tests throughout the year, with the score of said tests affecting their employees' bonuses. This is because phishing attacks have an indirect influence on a company’s bottom line. Cyber-attacks cost a lot of money, meaning if a cyber-attack occurs, companies will lose money in operations costs. Additionally, cyber-attacks may lead customers to lose trust in a company and take their business elsewhere, leading to an overall drop in revenue. With bonuses directly linked to profit, financially motivated employees should be more diligent in not clicking on potentially dangerous links, as their good behavior is reinforced and rewarded.
Companies may also be able to better engage their employees by employing the use of short-form video content using real-life case studies as examples.
One such example is a testimonial from an actor posted on LinkedIn entitled ‘My LinkedIn post cost my company a fortune’.
In the testimonial, the actor explains that someone posing as a recruiter enticed him into communicating with them first through comments on his LinkedIn posts, then via messages with a lucrative job offer. The faux recruiter built a relationship with him, and finally sent him a PDF which, supposedly, contained the job offer. Instead, it contained only a cover letter and two blank pages. When the actor reached out to the supposed recruiter, they explained that it was a secure file, and prompted him to download and install a secure PDF reader. When this still did not work, the actor contacted the recruiter again, but the recruiter did not respond to any of his messages. He dismissed this, but weeks later there was a data breach at his company that cost the company millions of dollars. The breach was traced back to him, as the PDF reader had actually contained malware that was used to level an attack against the company.
The actor explains that job scam attacks are becoming more prevalent as people are expected to communicate with strangers, and download the attachments sent to them.
By using easily-digestible video formats to train employees, companies can help employees realize how much the email security of a business relies on them, as well as offering them a framework of what to do during a cyber security incident. It can also provide them with tips of what to look for in potentially malicious communications.
Ensuring email security beyond employees
In terms of ensuring email security beyond training, a layered solution can be beneficial as it allows the use of different controls to respond to different threats. This can be combined with content protection like structural sanitization, which removes active content within the email body and attachments and removal or rewrites URLs to go through a different web browser. Identity protection is particularly important, as social engineering and phishing attacks often rely on posing as someone with authority within the business. By looking for the good senders rather than preventing the bad, this allows software to identify and block bad actors post-delivery, preventing the spread.
How email security can protect your brand
Email security is not just important for internal data safety, but for a company’s external brand. Bad email security can affect customers in multiple ways, from exposing their personal information to causing them to see a brand as less secure or trustworthy.
While using DMARC authentication to detect and prevent email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks seems easy in principle, it can be complicated – especially for large organizations.
Attacks against larger or more influential companies may lead to high-sensitivity email disclosure, as attackers may leak highly confidential information to the public, which can affect trust in a company. If this trust is broken due to customers believing companies are not appropriately securing their data, concerned customers may switch to different brands, leading to a drop in revenue.
By ensuring that both employees are fully engaged with and retain information from training, and that there is a robust email security solution in place, companies can put themselves in a better place to identify and mitigate cyber security incidents.
Enhancing email security: a summary
There are a number of threats to email security that employees must face. The most dangerous of these are social engineering and phishing attacks, as they directly target employees and can have potentially devastating consequences for their company.
Email security is fundamentally reliant on employees being vigilant against potential inbound attacks. In order to ensure all employees are in the best place to recognize and not engage with malicious emails, companies must take into consideration the way they are educating their employees in regard to cyber security. Using more engaging techniques like shorter videos, relating the content to themselves as employees or using a rewards-based system can help engage employees better, meaning they are in a better position to ensure email security.
Additionally, companies should ensure that they have robust security in place, including the use of structural sensitization and identity protection like DMARC. By using these methods, companies can ensure that phishing attacks are less successful. This is beacause URLs can be deemed as safe before they are clicked on and malicious actors who attempt to pose as higher-ups in the company during social engineering attacks will be less likely to succeed.
By doing this, companies can protect their employees and the business itself from cyber criminals and inbound threats, while protecting clients and customers from outbound threats. By communicating these efforts with clients and customers, they can build trust in their cyber security, and prevent a loss of trust if a cyber security incident happens. This can prevent customers from feeling their data is not adequately protected, leaving the business and taking their custom elsewhere.