The human element of a cyber security strategy for email

One red employee under flashlight

When it comes to cyber security strategies, email cannot be ignored. That's because email-borne threats are on the rise, with more than half of organisations surveyed in a recent Mimecast report encountering an increased volume of cyber attacks via email. Despite this, less than 20% of IT decision makers are confident in their ability to spot and defend against these attacks. Clearly, something has to give.

The vulnerability of email

Responsible for kickstarting the internet, emails were originally built to perform a ground-breaking method of digitally communicating messages. As such, and with the concept of the cyber criminal practically non-existent at that time, security was not ingrained into email's DNA.

Rather like most inventions, over time email has become used for something other than its primary purpose, and now, as the main method of communication within and between businesses, emails commonly carry various types of sensitive information.

It didn't take long for cyber criminals to first recognise, then discover how to capitalise on this opportunity. Malicious links and malware can be sent directly to a user's computer, the email's content promising riches or bearing bad yet irresistible news. Or emails may simply be dressed up as legitimate and contain a request for sensitive information, such as passwords. Whatever the malicious content, the intention is the same.

The current threat landscape

By far the most common type of cyberattack are phishing attacks, with 57% of SMBs falling victim to an attack in the past year.

Each employee within a business will, in today's digital workplace, most likely have an email account. Each email address is viewed as an entry point by cyber criminals who, with the help of the latest malicious automated bots, can circulate emails en masse. Of course, many accounts are no longer used, and many other phishing emails fall on deaf ears. But enough are interacted with to cause an epidemic. The overall result is that phishing is responsible for annual financial losses totalling 27 billion in the UK alone.

As well as being the most costly variant of cyber attack, phishing is also the attack that causes the most disruption. We need only look back to the notorious WannaCry to remember how the NHS was brought to a standstill, with entire internal patient systems held to ransom by the malware.

The weakest link

What is most startling about the statistics surrounding phishing, is that most companies are unprepared and unconfident in their ability to repel attacks.

Many employees from top to bottom are guilty of thinking themselves too smart to fall for any old phishing tricks (the Nigerian prince scam comes to mind), however new, intelligent forms of phishing have developed which can fool anyone but the most aware of employees.

According to research by Wire, an employees chances of spotting a phishing email are "as slim as hitting a specific number on the roulette wheel". You don't have to be a gambler to see why a CIO would be alarmed by those odds.

Yet even CIOs themselves are at fault. The first thing that comes to mind when constructing a cyber security strategy is undoubtedly technology. In a way, this makes sense. Hackers undertaking cyber attacks are of course using digital mediums to infiltrate. Defensive technologies, therefore, come to the fore. While the CIO turns to view the battle of technologies, risks develop behind their back. In this sense, employees are essentially undermining businesses' investment into state-of-the-art security measures - though the blame lays higher up the food chain.

Only when a business's employees are fully clued-up regarding threats, can maximum benefits be extracted from implemented security software, and phishing tactics can begin to toil.

The human element

Securing the human element of an email cyber security strategy isn't as difficult or expensive as deploying security software, which alone makes it worthwhile pursuing.

The key is to raise awareness. If employees know what to look out for, they are more likely able to spot a phishing attempt. Training and security awareness activities should be conducted for all employees. Often it is those who don't belong to the IT department which are targeted, though even IT decision makers can be caught off-guard by evolving phishing tactics. Programmes should be ongoing, as cyber attacks are constantly evolving, rendering knowledge out-of-date.

This training process must not be overcomplicated. Employees should be educated, responses tracked, and users tested. Renewing training every few months should ensure a constant level of vigilance.

Too often do organisations roll out a programme that is unengaging. Seek feedback from employees about what types of attack they are experiencing so training can be tailored to suit. If employees can visibly see that activities are beneficial to them, their work and the wider organisation, they are more likely to accept the programme.

To ensure that a programme is operating as it should, security training and awareness should be cemented as a key business metric. By labelling it as a requirement, with measurable goals and results, employees are less likely to view the training as an irritating disruption to workflow, and more as a critical element of their jobs.

After all this, it's important to remember that disruptions caused by cyber attacks will probably never stop occurring. Security software will be breached and employees at times will be responsible, even with thorough training. But what's important is how quickly and effectively an organisation can adapt, respond and recover. And for that the human element is vital.