Email compromise still accounts for around 90 percent of breaches that occur within business on a daily basis, something that, in most instances, can be blamed on user error.
“New and evolving threats are landing in users’ mailboxes daily, particularly within the hybrid workforce context, often using phishing campaigns that rely on clever techniques and panic to get users to click on links and share credentials or sensitive information, such as banking details,” explains Gideon Viljoen, Pre-Sales Specialist: ICT Security at Datacentrix, a leading hybrid ICT systems integrator and managed services provider.
“US wireless network operator Verizon confirms in its Data Breach Investigations Report 2023 that 74 percent of data breaches (three out of four) involve a human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.”
Social engineering is a lucrative tactic for cybercriminals, the report says, especially given the rise of those techniques being used to impersonate enterprise employees for financial gain, an attack known as Business Email Compromise (BEC).
The median amount stolen in BECs, it reveals, has increased over the last few years to $50,000 USD, based on Internet Crime Complaint Center (IC3) data, which might have contributed to pretexting incidents – a specific type of social engineering attack – nearly doubling this past year. With the growth of BEC, enterprises with distributed workforces face a challenge that takes on greater importance: creating and strictly enforcing human-centric security best practices.
Fighting fire with fire: User training and next-gen technology essential
“With a rapidly evolving landscape, changing attack strategies and new compromise techniques being introduced daily, it is imperative that users are trained and kept up to date on the latest campaigns and techniques being used,” says Viljoen.
“This is the most effective way of ensuring a more secure environment, with users acting as a ‘human firewall’ for organisations, and being able to spot, report and block compromise attempts. User awareness training is an excellent proactive option to assist email gateway administrators and engineers in staying on top of campaigns and potential breaches.
“And further to this, a collaborative workforce between machines and humans is key to successfully stem the attack on organisations, with the use of AI (artificial intelligence) additionally providing a smarter, faster approach to protecting against email phishing and breaches.
“AI is being used increasingly to run phishing campaigns and information collection, doing the heavy lifting on behalf of threat actors. A good example of this is how AI-powered chatbot ChatGPT has been used to help less-skilled cybercriminals to write malware and launch cyberattacks.
“So, having a technology in place to combat this is a necessity, and businesses cannot rely on a human alone to be able to administer and catch these threats.”
IBM’s recently launched Cost of a Data Breach Report corroborates this statement, affirming that AI and automation have had the biggest impact on speed of breach identification and containment for studied organisations. The report says that businesses making extensive use of both AI and automation experienced a data breach lifecycle 108 days shorter than those companies that had not deployed these technologies (214 days versus 322 days).
According to the 2023 report, the incident costs shouldered by those organisations that were using AI and automation were significantly lower; on average, nearly $1.8 million lower data breach costs than organisations that didn’t deploy these.
How to protect business email
The best starting point for a business’s email security, according to Viljoen, is to invest in an email gateway solution.
“In fact, Datacentrix’s recommendation is that organisations implement an email gateway solution as afirst priority before looking at any other security product.”
With a variety of toolsets available on the market, finding the best fit for your organisation is key, Viljoen clarifies. “There are full enterprise solutions, as well as small-to-medium business email offerings available to provide a secure email environment. These solutions offer reactive, real-time and proactive response solutions to secure the gateway.”
They also encompass a variety of functionalities that address the various aspects of an email gateway, namely:
- · Spam filtering and blocking;
- · Stationery (email signatures and campaigns);
- · Anti-phishing (known bad threat actors);
- · Sandboxing (‘detonation’ of suspicious emails found);
- · Zero Day protection (behavioural or unknown/untrusted email domain);
- · Data leak prevention (internal and external sharing of sensitive information);
- · Email blocking (verification, blacklisting, whitelisting); and
- · User awareness training and campaigns (helping users to keep up with phishing techniques and how to defend against those).
Ensuring that the gateway is configured and maintained from the start is critical, with the requirement that a specialist, either an internal engineer or an expert managed services provider, enforces the policies and rules and maintains best practice standards.
“Once you have the right technology in place and capabilities are procured and enabled within the organisation, the next step is to see that the policies and rule sets are updated, checked and verified in a cost-effective way to ensure losses are minimised. Running best practice assessments on policies and rules on a frequent basis is also vital to ensure a secure gateway.
“Finally, it is critical to utilise tools, such as pen testing and auditing, to ensure that the environment is hardened and stringently tested at frequent intervals.”