The days of simply deploying an email security gateway in front of the email server to block spam and viruses from reaching your end users are long gone. And while today’s gateways absolutely still have their place, in most instances they’re accompanied by additional technologies to ensure the best email security approach possible. This is because gateway technologies aren’t designed to spot social engineered spear phishing attacks, and there’s always a chance that people can get phished on personal accounts that aren’t controlled by gateways at all. However, if you’re concerned about users falling victim to Business Email Compromise (BEC), impersonation or spear phishing attacks—perhaps you’ve already deployed a solution that leverages AI to help identify and block these types of attacks in real time?
But let’s say you’ve taken all the right steps. You’ve even deployed extra security layers along with your Office 365 environment to protect against sophisticated email-born data theft, malware, phishing attempts, and anything else that might find its way into your users’ inboxes. Maybe you’re even backing up your Office 365 environment just in case ransomware gets through and you need to restore your system to avoid paying criminals a hefty ransom. You’ve really thought about everything, but there’s just one problem—your users probably haven’t.
End users are the recipients of messages with links to spoofed domains that attempt to steal their credentials in order to launch internal attacks. They’re also the lucky recipients of various social engineering attacks, including often convincing attempts that end with a wire transfer to criminals. Unfortunately, these are attacks that your traditional email security technologies just won’t defend against. But are humans the weakest link?
To shed some light on the subject, we recently worked with Dimensional Research to help conduct an email security study that includes a specific focus on the current experiences organizations have with employee behavior and the associated email security risks. The study includes responses from over 630 participants from around the globe who all had a responsibility for email security within their organizations. Let’s take a look:
Employee behavior is a main concern
This data supports the notion that effective email security isn’t necessarily about the tools that organizations have in place to stop threats, but rather that poor employee behavior is a much greater cause for concern. This has always been the consensus, so it’s great to see the data back it up. Poor employee behavior was the top concern at 84%. Inadequate tools came in at 16%.
No real consensus on the level of employee that will fall for an attack
This is a good example of how criminals are potentially balancing their attacks and not necessarily targeting any particular level of employee. Individual contributors were the top concern at 46%, with executives coming in at 39%, and team managers at 15%.
Like with any scam, email security attacks are a numbers game. The more attempts made, the more likely someone will fall for one, and there are a lot more individual contributors available to attack than executives. However, the payoff could be larger if an executive falls for a social engineering attack due to the access they have to sensitive information. This is further proof that criminals are operating like a business—they are making good risk/reward decisions just like someone would when organizing a corporate strategy.
Executives have access, staff lack awareness
As discussed above, this data supports the idea that executives are viewed as more likely to be targeted because of the access they have. However, the easier target may in fact be the frontline staff who aren’t always aware of the risks and impacts related to bad behavior.
Finance departments are considered to be the most vulnerable
It’s no real surprise here that finance employees are viewed as the most vulnerable since they have access to the crown jewels, but we found it somewhat surprising that employees of legal departments were so far down the list because of the access they would typically have to important corporate information. The following chart shows breakdown by department, with finance being the most worrisome for 24% of respondents.
Breaches are expensive
Based on the data presented here, there’s no real consensus in terms of which type of email security breach would be the most expensive. That question broke down as follows:: stolen information – 40%, ransomware – 33%, BEC – 27%.
Information theft is the classic breach example; however, ransomware and BEC attacks are still fairly new and yet they have quickly closed the gap in terms of effectiveness. This shows that criminals now prefer direct monetization attacks over a traditional theft sale. One of the reasons worth noting could be that information theft requires a buyer for criminals to profit from, while these newer attacks do not—meaning less work for the criminals. Cutting out the middleman is no longer just an 80’s car commercial slogan.
End-user training is important, but a better offering is needed
It’s great to see that folks recognize the importance of end-user training rather than just labeling it as a “nice to have” option. 100% of respondents say end-user training is important.
But, we’re also seeing that it’s important for organizations to offer users more than just a traditional classroom-style approach. Being able to scale training, move quickly, and be offered at the convenience of each employee could make all the difference in an effective program.
Who is actually training their users?
While we saw above that everyone thinks training is important, not everyone is doing something about it. Although 100% of the respondents have good intentions, only 77% are actually training their employees.
It also appears that the larger organizations (over 1000 employees) are more likely to implement training. This isn’t uncommon as enterprises are often early adopters of new business trends and technologies, but smaller organizations usually follow after new practices are proven. Lastly, the data shows that third-party training is in the cards for some (41%) for phishing and spear phishing training. That would mean that the remaining organizations are doing some form of in-house user training on their own.
So, is end-user security training and awareness the missing link to your complete email security strategy? The data here suggests that it’s definitely a concern, and if you think about how many of today’s attacks launch—there’s almost always a human element involved. Links have to get clicked, attachments must be downloaded, or money has to get transferred by someone in order for these attacks to work. With that said, here are some quick resources in case you’d like to learn more about end-user security training.
Combattre le phishing par les simulations et la formation continue
Comprehensive Email Protection White Paper
Ongoing threats and modern protection (pdf download)
Evolution of Spear Phishing White Paper White Paper
Learn the difference between phishing and spear phishing
Best Practices for Protecting Against Phishing, Ransomware, and Email Fraud
Learn about the current security landscape and how to bolster your security posture
Dennis Dillman est vice-président de la gestion produit sur PhishLine chez Barracuda Networks. À ce titre, il est responsable du déploiement d'un programme de formation totalement nouveau autour de la plateforme PhishLine et collabore avec des clients du Fortune 100 afin de concevoir et d'améliorer leurs programmes de sensibilisation à la sécurité.