Cybersecurity Leaders Stressed Over Email Security
Email is the most relied-on means of communication for businesses, but it also poses a significant risk due to the combined threats of inbound phishing attacks, human error and data exfiltration leading to outbound security incidents.
A report from Egress found 92% of organizations fell victim to successful phishing attacks in the last 12 months, and 91% of organizations admitted they have experienced email data loss.
Perhaps unsurprisingly, then, 99% of cybersecurity leaders surveyed confessed to being stressed about email security.
Jack Chapman, vice president of threat intelligence at Egress, explained that the stress of protecting and managing email systems is made even more difficult due to their complexity, including a combination of new and legacy technologies.
“Additionally, security teams have traditionally faced the burden of sifting through copious amounts of data in admin portals, which may not always be relevant or useful, slowing down their ability to quickly identify and resolve security issues,” he said.
Chapman added that threats are becoming more sophisticated, with more text-based attacks that leverage social engineering and trusted compromised supply chain email addresses.
“These threats are designed to specifically evade traditional perimeter defenses such as secure email gateways and are difficult for people to identify as phishing emails when they land in the inbox,” he said.
The AI Email Threat
Artificial intelligence (AI) is also increasingly being used to create better phishing emails and campaigns at scale, which means there are fewer obvious signs of phishing to look out for, such as spelling and grammar mistakes.
“Many of these attacks are becoming so convincing that even cybersecurity professionals can sometimes be fooled just by looking at an email,” Chapman noted.
Patrick Harr, CEO of SlashNext, added that phishing threats like business email compromise (BEC), supply chain attacks and account takeovers are constantly targeting users in organizations.
“When these attacks are successful, they lead to ransomware, data loss and monetary costs,” he cautioned. “If the breach is public and high-profile, the company losses will be in the millions, plus brand reputation damage, loss in company productivity and job loss is the certain outcome.”
Harr pointed out that remote workforces have increased the use of personal devices and personal apps for work, which were the direct cause of a number of high-profile corporate breaches in 2022.
“It is increasingly difficult for employers to ensure the security of sensitive information and, despite the availability of tools and options for securing data, many employers are not confident in their ability to effectively manage WFH workforces,” he explained.
Doubling the Attack Surface
This is further compounded by the fact that employees often use both corporate and personal devices for work, effectively doubling the attack surface for cybercriminals.
“As the threat of phishing continues to grow, it is becoming increasingly important for employers to find new and effective ways to secure their corporate data,” he said.
Chapman pointed out that with 46% of cybersecurity leaders reporting that employees rush through security training, traditional methods are inadequate for combating day-to-day phishing attacks.
“People may not be paying attention or even remember what was covered in an online module one month ago when faced with a real phishing attack,” he said.
Mika Aalto, co-founder and CEO at Hoxhunt, explained the best way to protect your organization or your team against phishing attacks is through security behavior change.
“True security behavior change is about keeping you and your workforce updated on the latest cybersecurity dangers, knowing what to look out for and what to do if a potentially dangerous interaction occurs,” he said.
From his perspective, maintaining behavior change is the most vital step, as this is where most security training solutions fall apart.
“Most companies will train in one, large unrewarding training session,” he said. “However, this often leads to a false sense of completion.”
Once an employee completes this type of training, they’re left to fill in the gaps of knowledge themselves, which can lead to significant holes in the company’s cybersecurity efforts.
Chapman said a holistic approach to email security can be measured through two categories: Detection and impact.
“Detection refers to correctly identifying threats while reducing false positives and false negatives, while impact evaluates how effectively inbound and outbound risk is reduced,” he explained.
This improves the security of the organization, protecting client and company data and ensuring less friction for both users and administrators.
“Having access to a single holistic view of data and trends for both inbound and outbound email security allows businesses to act quickly to effectively manage areas of risk and remediate threats,” Chapman noted.