Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2018
10:30 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Fight the Email Security Threat

It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.

Here we go again. On July 26, Sen. Claire McCaskill, D-Mo., said that Russians unsuccessfully tried to hack her Senate computer network.

McCaskill said the phishing attempt was similar to the one used successfully against John Podesta, Hillary Clinton's campaign chairman in the 2016 presidential election. In an indictment on July 13 by special counsel Robert S. Mueller III, several Russian government hackers were accused of sending emails that tricked Podesta and other Clinton staffers into clicking on links that enabled the attackers to obtain the victims’ login and password credentials.

Nearly three-quarters of phishing, malware, and ransomware attacks enter through email, according to a SANS Institute study. Many are phishing attacks in which seemingly legitimate messages fool victims into clicking on links or attachments that begin downloading malicious software and give the nefarious actors access to confidential information or disable the network entirely. In others, an attacker gains access to an email account and impersonates the owner to target employees who are in a position to share sensitive data or initiate wire transfers.

Organizations are nearly three times more likely to suffer a breach through these social attacks than via actual network vulnerabilities, according to Verizon's 2018 Data Breach Investigation Report.

The approaching midterm elections bring new attention to the need for campaign staffers and election officials around the country to be vigilant against these sneaky attacks. However, the hacking-by-email threat is significant for every government agency every day.

At a January conference of the Armed Forces Communications and Electronics Association, David Bennett, director of operations for the Defense Information Systems Agency, said 13 billion questionable messages flood Pentagon email inboxes every year before they are automatically scanned and deleted.

Most other government agencies also are aware of the threat and have deployed email security technologies to protect themselves. However, a major weakness remains: the human factor.

Thanks to growing cybersecurity awareness, 78% of people never click on a phishing attempt, according to the Verizon study. However, 4% can be expected to do so. Since a criminal needs success with only one victim to penetrate a network, that's a troubling number, and it makes employee behavior the clear top risk to email security.

A 2018 survey by my company and Dimensional Research of 630 email security pros around the world showed that poor employee behavior is a much greater cause for concern than whether organizations have the right defensive tools in place. Poor employee behavior was the top concern in the survey at 84%; inadequate tools came in at 16%.

There's also growing concern today that while email remains the primary vector through which malware gets delivered inside organizations, the threat appears to be moving toward collaboration platforms such as Slack or services such as Google Drive that allow for the sharing of files that previously would have been attached to an email or SMS.

And yet, while everyone thinks employee training is important, only 77% of the respondents to our survey have training programs in place at their organizations.

That's madness. It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem rather than a technical one. Here are four ways in which such a program can be strengthened.

Highly personalized: The email security training programs at many organizations today, if they exist at all, are often generic and rote — say a fairly brief, one-size-fits-all online course administered by the HR department. Instead, programs should be customized to each employee's role, with content geared toward the individual's area of the business. For example, someone with financial responsibilities may have a target on their back for phishing scams in which a hacker poses as a legitimate individual and asks for payment. Training for everyone in such a role should specifically address this type of threat.

More personalization can go a long way toward educating each and every employee.

Carrots, not just sticks: It’s too easy for email security programs to be all about punishing or embarrassing those who fall prey to a scam. There's no reward for good behavior. Employees who, for example, proactively report suspicious correspondence to IT should be recognized in some way, whether in a complimentary memo to all staff or even a material award like a gift card.

Email security programs need to find ways to recognize those who didn't click on a malicious link. Positive reinforcement can be very effective.

Beyond classroom-style training: Stronger tactics are needed than routine, classroom-style courses (whether in person or online). More substantive training using real-world scenarios can be a powerful tool.

For example, agencies could stage a fire drill by having "white hat" specialists hack into the network and stage a simulated attack. In another drill, the account of a recognized senior official could be used to replicate an account takeover attack and gauge how workers respond.

These kinds of in-your-face approaches can help organizations and their employees learn more about their ability to fend off email-borne attacks than they would sitting in a classroom.

More accountability: Department and office-level leaders, not just the central HR or security team, should be held accountable for results of the email security training program. This helps instill a culture of "everyone owns email security" across the organization and also supports the notion that the programs should be tailored to each specific area of the business.

By following these four steps, government agencies and others can better meet the email security threat head-on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
CallumLepide
50%
50%
CallumLepide,
User Rank: Apprentice
10/16/2018 | 6:31:06 AM
Employees
Cyber Security training is so important and many companies either overlook it or are using drastically outdated teachings. Employees are the biggest threat to businesses, either maliciously or accidentally. Through research and my own reading, I have found the over 70% of employees understand the risk of clicking on unknown email links, but will click them any way!
jhon91
50%
50%
jhon91,
User Rank: Apprentice
10/22/2018 | 11:24:55 AM
Re: Employees
good article 
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.