Research suggests that email is the most common point of entry for malware, providing access in 94% of cases, so it’s unsurprising that phishing is the root cause of 32% of security breaches.
Just last month the UK government’s Cyber Security Breaches Survey confirmed this trend remains worryingly unchanged: 91% of large businesses are most likely to report phishing attacks as the source of a data breach, with the threat having risen from 72% to 83% in the last four years. Meanwhile, reports of other threats, like computer viruses, have dropped significantly.
Regardless of the anti-malware tools, firewalls, Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) solutions in place, it is clear that phishing emails are reaching individuals and organizations at an unprecedented rate, causing more consistently detrimental effects than many other security threats combined. Some phishing attacks have even made headlines due to their severity and the size of the brands they are taking as victims.
Recently, news broke about the $2 million ransom FatFace paid after cybercriminals infiltrated its network through a phishing email, harvesting 200GB of data, including employees’ bank details. For the retailer, reportedly only making 25% of its typical revenue due to the pandemic, the original ransom of $8 million would have meant an end to its operations completely. This should act as a chilling reminder of the catastrophic consequences that poor email hygiene can have on companies large or small.
So, what is the answer for businesses like FatFace or those desperate to avoid falling victim to this level of cybercrime? Bolstering email security is ultimately about striking the balance between protective technologies and sufficient staff training.
A business can have the most secure defense system in place, but without a company-wide, security-first mindset, as well as an adequate understanding of threats and vulnerabilities, it will still be at risk.
Making cybersecurity an everyday topic
Humans will inevitably make mistakes when it comes to phishing emails, but it is possible to mitigate these risks by ensuring that cyber defense strategies are at the front and center of business processes, as well as integrated within company culture. This will ensure teams are made aware of potential threats before they run the risk of falling victim to them.
IT teams are often expected to take sole responsibility for a company’s cybersecurity strategy, yet it is impossible for these experts to monitor the email activity of each employee. With human error cited as a contributing factor in 95% of breaches, it is important to remember that email security – alongside many other areas of cyber defense – is a human issue and each member of the team poses a significant risk.
While IT professionals should take the lead by distributing relevant information about the latest phishing campaigns targeting their industry, it is also the responsibility of managerial staff to flag IT concerns in their team meetings and integrate cybersecurity issues into regular company updates. These discussions can be started by IT leaders, but the topic of cybersecurity must be discussed by each department in order to ensure phishing emails do not fly under the radar.
Fostering a culture of training and education
Culture is a key factor for businesses when assessing their cyber defenses, with a recent survey revealing that 65% of organizations that chose not implement a zero trust security approach avoided it because they believed it did not fit with their company culture.
However, a security-first mindset is becoming increasingly important in defending a business’ IT infrastructure, and it is crucial that companies assess whether their culture prioritizes security or cultivates vulnerabilities. If not overhauling their security posture with a framework such as zero trust, enterprises should at least be regularly educating and advising their staff on how to spot and react to a malicious email.
Adequate cybersecurity training and awareness should include outsourcing white hat hacking and phishing campaigns that imitate real-world attacks to teach staff what they are doing wrong and how to distinguish between a dangerous email and a safe one in the future. Importantly, when employees do identify and report suspicious behavior/emails, they should then be rewarded in order to further incentivize vigilant behavior.
Start from the top and filter down
Good email hygiene and a recognition of the role employees play in securing an organization must be driven from the top down, otherwise it runs the risk of being ignored. C-suite leaders are increasingly becoming more involved with the technology that bolsters cybersecurity defense systems, but are the dangers of a lax approach towards phishing attacks really discussed in the boardroom?
Every member of the C-suite, especially the financial decision-makers, must be involved in cybersecurity issues from the very start in order to ensure their entire company follows the same strategy for defense.
IT teams and CEOs are ultimately working towards a common goal – business continuity and success – but if it is only the IT and security teams that understand the importance of educating and training in the fight against phishing attacks, companies will never have the time or monetary investment signed off to make it a reality, leaving them vulnerable for months or years before the consequences are realized.
Without sufficient tools in place to filter malicious emails and detect potential threats, enterprises will be at risk. However, the ignorance of a team member that has never been properly educated on the dangers of clicking on an unauthorized email link or how to spot the tell-tale signs of a phishing attack can pose even more of a threat.
For email security to improve, each and every business leader must regularly acknowledge the threat of phishing attacks and discuss the dangers of cybercrime with their teams. Top decision-makers must take an active role in making the threat of phishing attacks heard throughout an organization and give staff the tools and training to ensure they don’t fall prey to a convincing email. Far more than a technology issue, phishing attacks are an everyday human responsibility.