Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2018
10:30 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Fight the Email Security Threat

It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.

Here we go again. On July 26, Sen. Claire McCaskill, D-Mo., said that Russians unsuccessfully tried to hack her Senate computer network.

McCaskill said the phishing attempt was similar to the one used successfully against John Podesta, Hillary Clinton's campaign chairman in the 2016 presidential election. In an indictment on July 13 by special counsel Robert S. Mueller III, several Russian government hackers were accused of sending emails that tricked Podesta and other Clinton staffers into clicking on links that enabled the attackers to obtain the victims’ login and password credentials.

Nearly three-quarters of phishing, malware, and ransomware attacks enter through email, according to a SANS Institute study. Many are phishing attacks in which seemingly legitimate messages fool victims into clicking on links or attachments that begin downloading malicious software and give the nefarious actors access to confidential information or disable the network entirely. In others, an attacker gains access to an email account and impersonates the owner to target employees who are in a position to share sensitive data or initiate wire transfers.

Organizations are nearly three times more likely to suffer a breach through these social attacks than via actual network vulnerabilities, according to Verizon's 2018 Data Breach Investigation Report.

The approaching midterm elections bring new attention to the need for campaign staffers and election officials around the country to be vigilant against these sneaky attacks. However, the hacking-by-email threat is significant for every government agency every day.

At a January conference of the Armed Forces Communications and Electronics Association, David Bennett, director of operations for the Defense Information Systems Agency, said 13 billion questionable messages flood Pentagon email inboxes every year before they are automatically scanned and deleted.

Most other government agencies also are aware of the threat and have deployed email security technologies to protect themselves. However, a major weakness remains: the human factor.

Thanks to growing cybersecurity awareness, 78% of people never click on a phishing attempt, according to the Verizon study. However, 4% can be expected to do so. Since a criminal needs success with only one victim to penetrate a network, that's a troubling number, and it makes employee behavior the clear top risk to email security.

A 2018 survey by my company and Dimensional Research of 630 email security pros around the world showed that poor employee behavior is a much greater cause for concern than whether organizations have the right defensive tools in place. Poor employee behavior was the top concern in the survey at 84%; inadequate tools came in at 16%.

There's also growing concern today that while email remains the primary vector through which malware gets delivered inside organizations, the threat appears to be moving toward collaboration platforms such as Slack or services such as Google Drive that allow for the sharing of files that previously would have been attached to an email or SMS.

And yet, while everyone thinks employee training is important, only 77% of the respondents to our survey have training programs in place at their organizations.

That's madness. It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem rather than a technical one. Here are four ways in which such a program can be strengthened.

Highly personalized: The email security training programs at many organizations today, if they exist at all, are often generic and rote — say a fairly brief, one-size-fits-all online course administered by the HR department. Instead, programs should be customized to each employee's role, with content geared toward the individual's area of the business. For example, someone with financial responsibilities may have a target on their back for phishing scams in which a hacker poses as a legitimate individual and asks for payment. Training for everyone in such a role should specifically address this type of threat.

More personalization can go a long way toward educating each and every employee.

Carrots, not just sticks: It’s too easy for email security programs to be all about punishing or embarrassing those who fall prey to a scam. There's no reward for good behavior. Employees who, for example, proactively report suspicious correspondence to IT should be recognized in some way, whether in a complimentary memo to all staff or even a material award like a gift card.

Email security programs need to find ways to recognize those who didn't click on a malicious link. Positive reinforcement can be very effective.

Beyond classroom-style training: Stronger tactics are needed than routine, classroom-style courses (whether in person or online). More substantive training using real-world scenarios can be a powerful tool.

For example, agencies could stage a fire drill by having "white hat" specialists hack into the network and stage a simulated attack. In another drill, the account of a recognized senior official could be used to replicate an account takeover attack and gauge how workers respond.

These kinds of in-your-face approaches can help organizations and their employees learn more about their ability to fend off email-borne attacks than they would sitting in a classroom.

More accountability: Department and office-level leaders, not just the central HR or security team, should be held accountable for results of the email security training program. This helps instill a culture of "everyone owns email security" across the organization and also supports the notion that the programs should be tailored to each specific area of the business.

By following these four steps, government agencies and others can better meet the email security threat head-on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jhon91
50%
50%
jhon91,
User Rank: Apprentice
10/22/2018 | 11:24:55 AM
Re: Employees
good article 
CallumLepide
50%
50%
CallumLepide,
User Rank: Apprentice
10/16/2018 | 6:31:06 AM
Employees
Cyber Security training is so important and many companies either overlook it or are using drastically outdated teachings. Employees are the biggest threat to businesses, either maliciously or accidentally. Through research and my own reading, I have found the over 70% of employees understand the risk of clicking on unknown email links, but will click them any way!
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.