The past five years have seen a dramatic change in the cybersecurity threat landscape. Our defenses must evolve to meet these new threats. Enterprise security teams have dedicated the last two decades to perimeter protection, and they have gotten quite good at building a secure box in which we may place our sensitive data. However, the rapid evolution of cloud computing and mobile devices rendered this approach insufficient. It’s now almost impossible to clearly define borders of protection as users travel around the world accessing systems both in enterprise data centers and the cloud. Email, in particular, presents a significant risk that cannot be addressed with technology alone.
The Rise of Email-Borne Threats
As organizations began to excel at keeping intruders out of their networks, attackers realized that they didn’t necessarily have to break into a network to achieve their goals. They could be just as effective by tricking someone who was already inside into acting on their behalf. This realization led to the birth and rapid proliferation of phishing attacks, designed to fool insiders into revealing credentials, clicking on links or taking some other action that would undermine enterprise security. And these attacks are sophisticated. Gone are the days of broken English messages and strange fonts. I’ve seen attacks where the fake website set up by attackers looks better designed and more authentic than a company’s actual site!
Security teams have a variety of tools to address email-borne threats. Content filters routinely remove malicious attachments and scan for suspicious URLs. Vendors now recognize that email-based attacks typically drive users to take an action on the web and are tightly integrating email security and web content security solutions to present a united front against attackers. However, technology alone is never enough to address cybersecurity issues that involve the human element. The attackers will always be one step ahead of the defenders.
Building an Employee Education Program
Organizations seeking to protect themselves against email threats must begin by educating users about the risks involved with email and the fact that today’s attacks are designed to look and feel legitimate. These communications work best when they are integrated within the ways that organizations normally communicate important information to users. Whether it’s posters in the break room or articles in the company newsletter, organizations should share clear and practical advice with users to help them protect themselves, and the organization, against malicious email.
The key lesson that these campaigns should drive home is that users should cast a critical eye on anything they receive via email. If a request seems unusual, it probably warrants further investigation and offline verification. An accounts payable clerk who receives an email requesting a funds transfer from a chief financial officer (who is normally meticulous about following proper channels) should trust his or her instincts and confirm the request in person or over the phone. An IT administrator who receives a request to create a vendor virtual private network account from the CEO (who has likely never heard of a VPN) should do the same. Attackers know that employees are intimidated by senior executives and will study the organizational chart as they design their phishing messages.
Email is, indeed, a significant threat to enterprise security. Organizations that combine strong email security technology with an active employee education campaign will find themselves well-defended against this threat.
The blog post brought to you by: