Is User Training the Weakest Link for Your Email Security Approach?

The days of only deploying an email security gateway to block viruses, spam and other threats from reaching user email accounts are gone. Even though gateways no doubt have their place in a comprehensive security strategy, in most cases they are paired with supplementary technologies to ensure the most effective layered email protection. This is critical because gateways aren't designed to sniff out attacks such as social engineering, phishing, spear phishing, and business email compromise (BEC). There is also the constant possibility of users being phished on personal email accounts that aren't controlled by gateways at all. There are technologies to accompany gateways such as AI powered email security solutions, which offer the best hope to stop spear phishing, impersonation and BEC attacks.

But, let's say you are well informed and have already deployed extra security layers to protect against sophisticated email-borne data theft, malware, phishing and other threats. Perhaps you even have a comprehensive backup and recovery strategy to combat ransomware attempts that could hold your data hostage? From a technology standpoint you've thought of everything, but the problem is—your users probably have not. This could be especially true for mid to low-level employees including sales or customer service teams where being security aware just isn't at the top of their to-do list. Ultimately, these folks could be part of the problem without even know it.  

That's because end users frequently receive messages containing links to spoofed websites where criminals intend to steal their credentials in order to gain entry and launch attack campaigns. These employees are also the unlucky recipients of numerous social engineering attacks, including fraud attempts that could result in wire transfers to cybercriminals. What's more alarming, is that these attacks avoid traditional security technologies, making the actions users take more important than ever. In order to shed a bit more light on this piece of the email security puzzle, Dimensional Research recently collected data from over 630 participants located around the globe who all had some level of responsibility for email security within their organization. Let's take a deeper look at some of the points covered in the research:   

User behavior and security risks

One of the points that really stands out to me, is that effective security these days isn't just about security tools and technology, but that employee behavior is actually a greater concern. 84 percent of the respondents attributed security concerns to poor employee behavior while 16 percent cited inadequate tools as the culprit.

It was also interesting to see that there is no real consensus on the level of employee or title that is most likely to fall for an attack. This is proof that cybercriminals are balancing their attacks across organizational levels and not targeting any particular level of employee.

The reasoning for this is that like with any scam, email attacks are typically a numbers game. The more attempts made, the better success rate criminals have, which is one of the reasons they continue to go after individual contributors—there are just more targets available. Alternatively in targeting executives, the payoff is much greater as they have access to more sensitive and critical information. This supports the idea that criminals are operating just like a business—they make good risk versus reward decisions.

Finance is considered the most vulnerable

It probably isn't surprising to anyone that finance employees are thought of as being the most vulnerable, as they usually have access to the company's crown jewels. 24 percent of respondents believe that finance departments are the most vulnerable to an attack. What might be surprising about this set of findings is that the respondents believe that legal departments are of very little risk. Perhaps legal teams are just viewed as being more aware of the consequences or less likely to act on an attempted attack?

On the other side of the office, we have the sales and customer service departments, who according to respondents—were the most likely to put their organization at risk. This could be simply because these teams communicate heavily over email at a rapid pace, which could open the door for attacks. Regardless of the reason, if the belief is true—organizations may want to take the necessary steps to make sure these teams are aware of the possible threats that could be lurking in their inboxes.  

End user training is essential, but a better offering is needed

100 percent of the respondents said that end-user training is important to their email security posture. It is great to see that training is recognized as an important cog rather than labeling it as a "nice to have" piece of the strategy.  

We also learned that organizations are offering more than just a traditional classroom style approach to education for their users. In our experience, the most effective programs are able to scale, move quickly, and offer the flexibility to work into and around busy schedules. Offering training at the convenience of each individual's schedule makes all the difference in retention of information and employees' willingness to participate. With that said, it's essential to test if these training programs are making an impact. This could mean testing employees on their knowledge with simulated email attacks, or even tracking behavior to help security teams drill down on weaknesses in their organization.

Who actually trains their users?

We're seeing that all organizations have good intentions, but according to the data, only 77 percent of the respondents said they are actually training their employees. Not a terrible number by any means—but there's definitely still a gap, and room to improve.

The reported data also shows that organizations with over 1000 employees are more likely to implement training. This isn't uncommon or too surprising as large businesses have more resources and are typically early adopters of new technologies and trends. Smaller organizations usually follow proven practices, but are forced to make the most of their available budgets.

Ideally, every organization regardless of the size should be exploring new technologies and practices to adapt to the evolving threats in the wild. Employees of any level or title should be trained regularly and tested on their security knowledge.

So, is end-user security training and awareness the missing link to your complete email security strategy? The data shown suggests that it is definitely a clear concern, and if you consider the amount of attacks happening daily—almost every incident involves human interaction.

Malicious links must be clicked for cybercriminals to gain initial entry. Attachments must be downloaded and money has to be willingly transferred by an unsuspecting employee for these attacks to be successful. Putting training at the top of your layered security strategy alongside your technology stack will ensure that your employees are less of a liability, and the risk of a breach will be significantly lower.

About the author: Dennis is responsible for entire business lifecycle of the PhishLine product family at Barracuda Networks, including product strategy, product design, sales, onboarding, support, and renewals.

Copyright 2010 Respective Author at Infosec Island

via Infosec Island Latest Articles
RSS Feed

If New feed item from, then send m



Popular posts from this blog

Evernote cuts staff as user growth stalls

The best air conditioner