Email Security 2018 Wrap-up – Your People are Your Weakest Link

January 1st, 2019 – Mimecast posted their most read blog post for all of 2018.

Email Security dos and donts for Employees“.

Another report from proofpoint with the same theme – to paraphase – “sorry, but humans are the problem”.

The Human Factor 2018. People-Centered Threats Define the Landscape“.

Those pesky humans – your staff – remain the top email threat vector, regardless of the sophisticated technologies used to protect email. Web and email security providers ability to block web and email threats is improving all the time. They are releasing more robust security solutions, adept at catching exploits – smarter, more accurate, greater control and visibility into threat activity and behaviour.

What if there is no technology based threat in the email? Of absolutely any type. No attachment, no embedded formatting or scripting exploits, no dodgy links (at all), nothing. Just text convincing the recipient to divulge sensitive business information.

Social engineering targets human nature. Our desire to be helpful, to get stuff done, to rush through tasks, to connect, curiosity – all marvellously human characteristics, but not intuitively matched with cybersecurity!

Human behaviour will never be free of error, lapses in judgement, or gaps in knowledge. That needs to be ok – “they’re/we’re/she’s/he’s only human”. We have to work with reality, to counter and plan for this reality.

Which means staff email security training. The best Cybersecurity solutions today are starting to incorporate AI measures to address social engineering. Do they negate the need for staff awareness? Of course not. I’m not hearing any email security provider contradict this advice today.

Tak the view structured email security staff awareness training is just as important as email security solutions and email authentication (DMARC, DKIM, SPF).

That is why the reports from Mimecast and proofpoint are talking up the human factor in email and web security. You’ll start reading in similar wrap-up security reports about the consequences of lack of security training – expressed as substantial financial losses.