Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/2/2016
08:00 AM
Roland Cloutier
Roland Cloutier
Commentary
100%
0%

The Human Firewall: Why People Are Critical To Email Security

Technology is just the beginning; employees must be fully on board with security procedures.

Company email systems have become one of the biggest targets for cybercriminals with larger businesses the more frequent target due to their greater surface area of risk, diversity — and more opportunities to exploit.

According to a recent survey, more than half of organizations attribute a security incident or data breach to a malicious or negligent employee. So although companies invest a lot of money, resources, and time into developing a strong email security system, the system won't be worth much if employees —  the human firewall — aren't on board.

Your human firewall encompasses how well employees understand the importance of the right security practices and how easily they can act on them. Right now, most organizations aren't doing an adequate job, but there are steps that companies can take to help keep email safe. It starts with focusing on both technology and the people using it:

1. Put comprehensive security protocols in place and build partnerships within the business.

Your email security program needs to work from the time a message is sent, to when it is received, whether it is coming in or going out of your network. Email servers can perform a number of functions to protect your mail environment and network, and an email platform that secures the data when it's both at rest and in transit is key.

There are several important elements to put this foundation in place, including:

  • Encryption, such as transport layer security (TLS). TLS lets email servers communicate in a secure manner over an encrypted channel, blocking bad actors from accessing the content of emails that they intercept.
  • Email verification systems. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an effective system that lets servers validate that incoming mail actually comes from the organization that is listed as the sender. DMARC is built on both a Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), ties them together to verify email addresses, and automatically discards any messages that fail the test.
  • DMARC/SPF records. In addition to testing inbound mail, you should publish DMARC/SPF records for your organization's domains, and sign outgoing messages with DKIM, to prevent the sending of fake emails that appear to come from your company.
  • The right role for the security team. Administrative controls should allow the security team to have transparency and operational security oversight of the email platform. This includes using separate administrative accounts as well as monitoring access to these accounts, since they are often prime targets for hackers.

2. Educate and engage employees on how to use security tools properly and make them aware of their individual responsibilities and company policies with ongoing training and communications.

Implementing security best practices for all employees — i.e., policies for "bring your own device" and mandated password changes — plays an important role in employees making the right decisions around email security. However, these protocols should also resonate with employees. Creative communication techniques — such as webcasts and quizzes — can help employees realize the importance of security practices by linking important aspects of security from their private lives to their work lives.

Engaging employees will also help security teams overcome the challenge of employees viewing security as an obstacle that prevents them from doing their work. Instead, when security becomes personal, employees are encouraged to be active partners in helping to protect the organization.  

3. Continually monitor and measure effectiveness of your security program and human firewall to manage your risk.

Monitoring and measuring the effectiveness of email security programs and the human firewall must be an ongoing effort. Employee security awareness must evolve with the constantly changing technology industry. This starts with keeping metrics that track the security awareness of employees over time. Metrics to use should include the number of reported incidents, visits to unapproved sites, email violations, phishing report rates, insider threats, percentage of infections while employees are remote, and the average time it takes employees to report a lost device.

You can also monitor for employee compliance by testing your employees with simulations, such as periodic phishing awareness. Organizations should use this tactic to get a sense of whether communications, training, and policies are connecting with employees and are effective in securing the email system.  

Emails are accessed by every employee and contain confidential information about your company and customers, making them both difficult and crucial to secure. Because of the human element, a mix of comprehensive security protocols, educating and engaging employees, and continuous monitoring is needed to prevent emails from becoming a gateway for hackers.

Company leadership in partnership with security teams and human capital management professionals should reward employees who embrace security practices. For employees who don't comply, fair yet disciplined programs can eradicate behaviors that threaten security. In other words, an email security program is only as secure as the people using it, but your employees can't do it alone. 

Related Content:

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world's largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs. Roland has functional and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Maisons pierre
50%
50%
Maisons pierre,
User Rank: Apprentice
3/15/2017 | 12:53:42 PM
Virus
Like my developper says, the virus is always between the chair and the screen, YOU ! People need to be educated more and more about phishing for exemple.
Lily652
100%
0%
Lily652,
User Rank: Moderator
12/11/2016 | 1:08:35 PM
prayer times

It was a very good post indeed. I thoroughly enjoyed reading it in my lunch time. Will surely come and visit this blog more often. Thanks for sharing 

Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/2/2016 | 3:29:31 PM
Why So Lax?
I'm ever confused regarding the need for complex email workflows and processes in the workplace.  It should be a no-brainer when it comes to companies that have even the slightest belief their email servers and network could be compromised by the accessing of certain types of email by their users.  First of all, lock it down.  There are two primary ways to utilize email in the workplace:  1) You need to email each other (employees) to get work done.  This is internal.  So, build an internal secure network for your email servers and, viola, the only spam or malicious code you'll get via email will be those crafted by your employees at work and intentionally sent.  This type of email system never gets exposed to the outside world.  2) You need to email out to or receive in from non-employees (vendors, etc).  Use a secure email system where a 3rd party encrypted application is used that a) removes any possibility of outside emails that contain spam or malware (again, unless crafted by your employees or vendors at work and intentionally sent), and b) keeps your communication intentional, private and meaningful.

The arguments against this I often hear relate to ease-of-use or expense.  Well, there are plenty of FOSS (Free and Open Source) solutions out there, so expense (other than that of obtaining resources to build, install, train and maintain) is not an argument when weighed against the expense of becoming a victim of spam, phishing, malware and so forth.  And ease-of-use means what?  So I have to log into an app to send an email to only receipients that I'm allowed to send it to.  I'm at work.  This is a problem?

OK, I sometimes oversimplify but to be honest it is when you oversimplify that the real questions that should be asked are.  Companies do not do business to satisfy the whims of employees; my company's technology infrastructure does not exist so I can surf the web, email my wife about next week's party plans, or receive coupons and evites that may or may not be from trusted sources.

Why so lax?
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.