[BreachExchange] Is User Training the Weakest Link for Your Email Security Approach?

[Audrey McNeil]

http://infosecisland.com/blogview/25080-Is-User-
Training-the-Weakest-Link-for-Your-Email-Security-Approach.html

The days of only deploying an email security gateway to block viruses, spam
and other threats from reaching user email accounts are gone. Even though
gateways no doubt have their place in a comprehensive security strategy, in
most cases they are paired with supplementary technologies to ensure the
most effective layered email protection. This is critical because gateways
aren’t designed to sniff out attacks such as social engineering, phishing,
spear phishing, and business email compromise (BEC). There is also the
constant possibility of users being phished on personal email accounts that
aren’t controlled by gateways at all. There are technologies to accompany
gateways such as AI powered email security solutions, which offer the best
hope to stop spear phishing, impersonation and BEC attacks.

But, let’s say you are well informed and have already deployed extra
security layers to protect against sophisticated email-borne data theft,
malware, phishing and other threats. Perhaps you even have a comprehensive
backup and recovery strategy to combat ransomware attempts that could hold
your data hostage? From a technology standpoint you’ve thought of
everything, but the problem is—your users probably have not. This could be
especially true for mid to low-level employees including sales or customer
service teams where being security aware just isn’t at the top of their
to-do list. Ultimately, these folks could be part of the problem without
even know it.

That’s because end users frequently receive messages containing links to
spoofed websites where criminals intend to steal their credentials in order
to gain entry and launch attack campaigns. These employees are also the
unlucky recipients of numerous social engineering attacks, including fraud
attempts that could result in wire transfers to cybercriminals. What’s more
alarming, is that these attacks avoid traditional security technologies,
making the actions users take more important than ever. In order to shed a
bit more light on this piece of the email security puzzle, Dimensional
Research recently collected data from over 630 participants located around
the globe who all had some level of responsibility for email security
within their organization. Let’s take a deeper look at some of the points
covered in the research:

User behavior and security risks

One of the points that really stands out to me, is that effective security
these days isn’t just about security tools and technology, but that
employee behavior is actually a greater concern. 84 percent of the
respondents attributed security concerns to poor employee behavior while 16
percent cited inadequate tools as the culprit.

It was also interesting to see that there is no real consensus on the level
of employee or title that is most likely to fall for an attack. This is
proof that cybercriminals are balancing their attacks across organizational
levels and not targeting any particular level of employee.

The reasoning for this is that like with any scam, email attacks are
typically a numbers game. The more attempts made, the better success rate
criminals have, which is one of the reasons they continue to go after
individual contributors—there are just more targets available.
Alternatively in targeting executives, the payoff is much greater as they
have access to more sensitive and critical information. This supports the
idea that criminals are operating just like a business—they make good risk
versus reward decisions.

Finance is considered the most vulnerable

It probably isn’t surprising to anyone that finance employees are thought
of as being the most vulnerable, as they usually have access to the
company’s crown jewels. 24 percent of respondents believe that finance
departments are the most vulnerable to an attack. What might be surprising
about this set of findings is that the respondents believe that legal
departments are of very little risk. Perhaps legal teams are just viewed as
being more aware of the consequences or less likely to act on an attempted
attack?

On the other side of the office, we have the sales and customer service
departments, who according to respondents—were the most likely to put their
organization at risk. This could be simply because these teams communicate
heavily over email at a rapid pace, which could open the door for attacks.
Regardless of the reason, if the belief is true—organizations may want to
take the necessary steps to make sure these teams are aware of the possible
threats that could be lurking in their inboxes.

End user training is essential, but a better offering is needed

100 percent of the respondents said that end-user training is important to
their email security posture. It is great to see that training is
recognized as an important cog rather than labeling it as a “nice to have”
piece of the strategy.

We also learned that organizations are offering more than just a
traditional classroom style approach to education for their users. In our
experience, the most effective programs are able to scale, move quickly,
and offer the flexibility to work into and around busy schedules. Offering
training at the convenience of each individual’s schedule makes all the
difference in retention of information and employees’ willingness to
participate. With that said, it’s essential to test if these training
programs are making an impact. This could mean testing employees on their
knowledge with simulated email attacks, or even tracking behavior to help
security teams drill down on weaknesses in their organization.

Who actually trains their users?

We’re seeing that all organizations have good intentions, but according to
the data, only 77 percent of the respondents said they are actually
training their employees. Not a terrible number by any means—but there’s
definitely still a gap, and room to improve.

The reported data also shows that organizations with over 1000 employees
are more likely to implement training. This isn’t uncommon or too
surprising as large businesses have more resources and are typically early
adopters of new technologies and trends. Smaller organizations usually
follow proven practices, but are forced to make the most of their available
budgets.

Ideally, every organization regardless of the size should be exploring new
technologies and practices to adapt to the evolving threats in the wild.
Employees of any level or title should be trained regularly and tested on
their security knowledge.

So, is end-user security training and awareness the missing link to your
complete email security strategy? The data shown suggests that it is
definitely a clear concern, and if you consider the amount of attacks
happening daily—almost every incident involves human interaction.

Malicious links must be clicked for cybercriminals to gain initial entry.
Attachments must be downloaded and money has to be willingly transferred by
an unsuspecting employee for these attacks to be successful. Putting
training at the top of your layered security strategy alongside your
technology stack will ensure that your employees are less of a liability,
and the risk of a breach will be significantly lower.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180628/217f9e19/attachment.html>