Human behaviour the weak link in cyber defence
By James Forbes-May, VP, Asia-Pacific, Barracuda Networks
SINCE email users are the prime target of phishing attacks, clearly they need to be ultra-aware of any tempting bait. Sadly, statistics reveal that far too many are neither aware nor careful enough, too often resulting in their employers either having to pay exorbitant ransoms and lose invaluable data.
Use of email is ubiquitous in business, with users ranging from office boy or girl through to the CEO, and on to board members.
They are all equal when it comes to sitting at the sharp end of data security, and they all need a sharp lesson in how to avoid that tempting phishing hook.
Of course, email is today's indispensable business IT system. Organisations rely on it to collaborate internally, with partners and suppliers, and for engaging with customers. Newer web-based communication systems have emerged in recent years, but email remains the gold standard for communication as it is fast, convenient, cost-effective and auditable.
Yet, email was built in a different era, in the days when cyber-threats were few and far between. In sharp contrast, email rates as today's No 1 threat vector endangering organisations, with email-borne threat types multiplying relentlessly year-on-year.
We are inundated with business email compromise (BEC), ransomware, phishing: who knows what's next!
Clearly the days of simply deploying an email security gateway in front of an email server to block spam and viruses are long gone. While gateways still have their place, they are usually reinforced by other technologies to ensure the strongest possible email security.
Why, because gateway technologies are not designed to spot social engineered spear phishing attacks, and there's an ever-present threat that people will be phished on their personal accounts, as these are not controlled by gateways.
Even when a business has taken all the right steps, deploying extra security layers along with an Office 365 environment to protect against sophisticated email-borne threats, the organisation is still vulnerable.
An employer might have considered all angles, but the staff are unlikely to have done so.
Almost every day, they receive messages with links to spoofed domains that attempt to steal their credentials as a prelude to launching internal attacks. Unfortunately, traditional email security technologies are completely at a loss in defending against such attacks.
So are humans really the weakest link?
A recent global study of 630 IT professionals conducted by Dimensional Research that was commissioned by Barracuda Networks, shows that 84 per cent viewed employee behaviour as the chief security concern, rather than inadequate tools (16 per cent). Although there was no consensus on the level of employee likely to fall for an attack, executives were viewed as most likely to be targeted because of the access they have.
Attack methods continually evolve to stay a step ahead of your security strategy. therefore, it is paramount to train employees to be security-conscious critical thinkers who can leverage their knowledge in changing situations
However, frontline staff may be an easier target as they are not always aware of the risks of cyberattack, or understand the likely consequences.
While IT believes new tools such as artificial intelligence can help to identify and block cyberattack types in real time, 100 per cent of survey respondents believe that user training and awareness programmes are vital prerequisites to improving email security. The survey showed that only 77 per cent of respondent companies are training their employees. Larger organisations (over 1,000 employees) are more likely to do so.
According to IT research company Gartner: "Attack methods continually evolve to stay a step ahead of your security strategy. Therefore, it is paramount to train employees to be security-conscious critical thinkers who can leverage their knowledge in changing situations."
Email attacks are becoming increasingly stealthy and targeted, and cyber criminals have shifted their main focus from the largest organisations to smaller targets.
Organisations need to offer users more than just a traditional classroom-style approach. Being able to scale training, move quickly and be offered training at the convenience of each member of staff could make all the difference in an effective programme.
The Dimensional Research survey conducted on behalf of Barracuda also highlights the need for organisations to include training and simulation as part of their overall email security strategy, with 98 per cent of respondents saying their organisation would benefit from additional email security capabilities, including phishing simulation (63 per cent) and social engineering detection (62 per cent).
Organisations can take measures that train employees to understand the latest email attack techniques with advanced solutions such as Barracuda PhishLine. It spearheads the prevention of email fraud, data loss and brand damage by including in their solution the training and testing of employees to recognise highly targeted and socially engineered spear phishing. The solution is available in multiple enterprise-grade versions tailored to suit organisations of all sizes.
PhishLine helps humans to recognise the subtle clues that an incoming email is not in fact from the entity who claims to have sent it.
The solution uses a two-pronged approach to combat this ploy. First, computer-based training gives users a baseline understanding of the latest techniques being used by attackers. Secondly, it embeds learning into business processes by launching customised simulations that test and reinforce good user behaviour. A large library of curated content means faster time to value, while rich reporting and analytics provide visibility.
So, are employees really the weakest link in email security? And is end-user security training and awareness the missing link to complete a comprehensive email security strategy? Data suggests it's definitely a concern, and when we consider all the successful cyberattacks in the news these days, there's almost always a human element involved. Remember, links have to get clicked or attachments must be downloaded in order for these attacks to work.