People – Email Security’s Weakest Link

Email was simpler back then. Pre-cloud era, all you had was a best in class firewall, a strong antivirus/antispam solution, and excellent security software covering every endpoint.

But these email security solutions are no longer enough. Email is by far the most important communications application, correspondingly the number-one method carrying security breaches into organisations.

Adoption of best practice email security resilience measures is a big problem. An alarmingly high percentage of organisations are not on board with the basics – SPF, DKIM, DMARC reporting, and the advanced threat protection security solutions available today.

If adopted – multi-layer intelligent AI driven email security solutions are catching up in effectiveness.

So now hackers are starting to side-step improving security technology. How? By targeting humans. Social engineering is a dark capability, with no technology necessary – just soft skills!

Social engineering tricks staff into taking actions compromising organisational security. Exploitation of human vulnerabilities and foibles have turned into the number-one most effective strategy for attackers.

For example, email fraud targets key staff with direct access to corporate financial data and decision-making power. Their email addresses are impersonated or literally hacked and taken over, then used to send instructions to colleagues internally that carry the weight of the impersonated sender’s organisational authority.

A Holistic Organisation-Wide Cyber Security Strategy

Technology-based defenses with threat intelligence to combat email attacks are critical and non-negotiable,  but today threat protection technologies are just one pillar of an overarching security strategy.

If hackers use a combination of technical and non-technical (i.e. human-to-human!) strategies to breach security, then everyone’s a stakeholder in  Every staff member has a role to play in cyber resilience to email fraud. All end-users need enrollment in a security awareness program. Some end-users are are more phish-prone than others, but move forward on the principle all staff are targets, so all staff will benefit from increased security awareness.

A holistic email security solution should prevent email based attacks before they occur, then must consider email continuity and email recoverability. What is the plan to keep business email communications operating if email is down? Sending and receiving email during a business-wide email system outage must be a scenario planned for.

If emails are lost then the capability to restore email to the required granularity is required – from individual emails, mailboxes, to email system-wide restoration.

Technology is only one part of an Email Security Strategy

Email security’s weakest link is people. Respond to this reality by raising staff awareness of their role in a comprehensive email security strategy. Train for a healthy wariness when it comes to evaluating emails containing –

  • Email links and attachments
  • Domain spoofing and impersonation
  • User impersonation
  • Links to fake online applications

Keeping email security top of mind is now non-negotiable for all employees. Attackers leverage humans to side-step security technology. So create a security culture at work that sets the tone for how email is used.