Email is the most significant threat vector of a corporate network, and thus should be priority when setting up a risk management strategy
IBM’s ban of the use of removable devices a few months ago made a lot of sense as part of a broader risk management strategy and information security plan countering the wide range of security threats facing all organizations.
Devices such as USB sticks and flash drives are a genuine threat. They are in mass use, easily loaded with malware and commonly handed out at trade events or used to transport documents between home and the workplace. Banning such devices removes the threat of physical introduction and subsequent lateral movement of malware by users outside an organization’s network. It is an initiative that shuts off one of the avenues used by criminals and hackers seeking to steal, destroy or ransom important data or intellectual property.
IBM is not alone in taking action. The U.S. government has already significantly reduced the threat of removable devices and accompanied the initiative with a set of policies including baseline configurations, hardware-tracking and encryption.
In cybersecurity, an organization needs to control the controllable. Policies and governance need to be established, accepting that there will be a few exceptions where removable devices may have to be used by certain defined members of staff, possibly in conjunction with filters or use of a central repository. Any organization adopting this approach may also have to re-architect its network to ensure that even with the reduction in the use of removable media, information technology can still meet the organization’s business needs and the increase in file movement inside its network.
Which Cyber Borders Must Be Prioritized in a Risk Management Strategy?
Banning removable devices takes an important threat vector off the table, but it is not a security panacea. State-sponsored hackers and cybercriminals have many methods of forcing entry into a network, and the ban on USB sticks, flash drives and SD cards only blocks one of several windows they can climb through.
Organizations need to protect themselves by creating an overall risk management strategy. They must become aggressive toward all the other threat vectors that will continue to exist inside a network, especially email. They must assess all their vulnerabilities and address them through a multi-layered approach founded on innovative technology.
This should commence with a full assessment of data to establish high-value assets and ensure they are protected. If a company feels it lacks the resources to undertake this work, it should seek a third-party partner with requisite expertise.
All possible attack vectors must be mapped and a strategy devised to eliminate them. For example, is the organization ignoring the immense dangers in emails or neglecting to train staff in cybersecurity best practice?
Focus on the Dangers in Email Attachments
Email is the lifeblood of an organization, but it is the most significant threat vector of all and must be a major priority when setting up a risk management strategy. Criminals know that millions of emails are constantly in circulation and offer the simplest route into a target organization’s network.
The most lethal and widespread danger in emails is the malware content hidden in file attachments. Verizon’s “2017 Data Breach Investigations Report” found that 66 percent of successful malware installations were perpetrated via malicious email attachments. Security giant Symantec believes 1 in 635 emails is malicious, while Kaspersky Lab reports that it processed 360,000 malicious emails a day in 2017. More than 9 out of 10 of these malicious files were carrying some form of malware. David Bennett, the director of operations at the U.S. Defense Department, has estimated that his organization blocks 36 million malicious emails every day. There can be no doubting the seriousness of the email-borne security threat.
Yet, it is the human element that leaves an organization vulnerable to email attacks, because it only takes a single employee clicking open a malicious attachment for an entire system to be exposed to malware. This year’s Verizon report (2018) highlights the success of socially engineered attacks in which emails are the vector in 96 percent of cases. Research conducted among 2,000 office workers in the United States and U.K. last year also demonstrated the danger of human error or neglect, as 62 percent of employees admitted they would click open an email from someone they did not know.
While it is important that organizations tackle threats such as removable devices through a governance-based risk strategy, it is obvious that they must also devote resources to countering the malware threats to which the human element leaves them vulnerable.
Innovative Technology Safeguards an Organization from Human Error
As much as training staff in cyberhygiene and good email practice is necessary, it is not possible to rely solely on employees to protect an organization from email-borne threats. An organization’s users are not especially suited to the threat presented by social engineering or phishing and will continue to be the largest threat vector. Risk cannot be trained out of a company, as the need to conduct business and the presence of a motivated and sophisticated actor set will always present a viable threat vector. In other words, you cannot lock down the “wetware.”
Prevention of email-borne attacks is only possible through the deployment of innovative technology that takes a more active stance against the millions of new malware variants that hackers send out to their targets every year. This must be one of the cornerstones of a defense-in-depth approach, using policies, processes, training and state-of-the-art technology to provide effective protection from the full range of threats facing businesses and organizations of all sizes.
Advancements in deep file inspection, remediation and sanitization technology are infinitely more effective than reliance on anti-virus solutions and sandboxing alone and support the human element of security, which remains the chief source of vulnerability to email-borne malware.
While a ban on removable devices is a sensible and cost-effective way to improve an organization’s risk profile, organizations cannot rely on it as a one-club approach to cybersecurity. They must devote resources to a broad-based strategy, reducing their exposure to all the main sources of risk, including most urgently the email attachment.
— Greg Sim