Email security is not just about securing your correspondence; it is about securing the most important conduit into your organisation. It is also the number one attack vector for cybercrime with 9 out of 10 cyber-attacks starting from the inbox since it gives cyber criminals a low-risk, low-cost entry into a network, with maximum results. Challenged by varied cyber-attacks, organizations employ a number of defences to safeguard themselves, however, a network is only as strong as its weakest link.
According to Brian Pinnock, Cyber Resilience Expert at Mimecast, unfortunately employees are the weak link and organizations need to focus on educating them on recognising phishing attacks and reporting them to security teams in a timely fashion. “Simply having a strong defence strategy is not enough. Email security training is also very important as this will allow users to identify and stop email borne threats.”
Although organizations are aware of the risks they face in the event of a breach, most do not have a cyber-resilience strategy in place, Pinnock adds. In fact, a study conducted by Mimecast and Vanson Bourne highlights how bleak the current situation is, with less than a quarter of respondents’ having adopted a complete cyber-resilience strategy. “Today email-borne threats have become very frequent and sophisticated which calls for the need to adopt a cyber-resilience strategy that can help organizations protect their business, data and employees.”
The research goes on to say that a gap exists in terms of security training and email. This research found that 39% of IT decision makers in global organizations had complete confidence they had sufficient email security training. However, a mere 15% of respondents reported they conduct near regular security trainings – 25% reported to offer trainings every month, 32% every quarter and 13% every year.
With regards to email security, today organizations are not just threatened by malicious attachments and spam, but also an increased number of malwareless impersonation attacks. Since regular email security solutions are unable to stop or recognise such discrepancies, it is imperative that the human element that is perceived to be the weak link steps forward and takes charge, he adds. “As email security providers can’t always stop these often hard-to-detect impersonation attacks, it is important that organisations strengthen their human firewall.”
With advances in security solutions, attackers also continue to change tactics. Hence, regular training must be an important part of an organization’s cyber-resilience strategy so that employees can be conditioned to be cautious against suspicious emails. While the first line of defense, such as email filtering, gateways and antivirus are essential for any organization, such training allows employees to be aware of the best practices to follow, to identify what they need to watch out for and report anything suspicious. Maybe, cybercriminals can edit malware to counter the security product updates but they cannot factor in the benefits of this ever vigilant human firewall, concludes Pinnock.