Email security: We CAN fix the tech, but what about the humans?

The human factor

Nevertheless tech can only do so much.

As Woodward says, it only takes one or two to get through and cause havoc. Throw in the fact that cloud-based email services are growing and you can see potential for greater damage if businesses don’t act. Research firm Gartner reported earlier this year that even worldwide enterprises are seeing increased use of cloud email services, noting that 13 per cent surveyed claimed to have cloud-based email. This will only increase although maybe not at the rate Microsoft is predicting. So what impact if any will this have on security?

“The risk with cloud-based email is the same as one of its major benefits - it's easily accessible from anywhere in the world,” says security expert blogger and analyst Graham Cluley. “If users have chosen a weak password, or made the mistake of reusing a password across different sites, then it won't be an enormous surprise if their webmail is targeted by an online criminal. To reduce the chances of such an attack being successful, webmail users should enable additional security measures (such as 2FA). And obviously, stop re-using passwords or choosing weak, easy-to-crack passwords.”

Will we ever get to a point where email is no longer a major vehicle for security threats or is it just a case of as long as email is popular; it will always be a target because users will always make mistakes?

“It’s inevitable that people will click – curiosity and the desire to help are human nature,” says Proofpoint’s Diamond.

“I think email will continue to be one of the major vectors of online attack for years to come,” says Cluley. “If email were invented today it would be laughed out of the room, because of its inherent lack of security features such as encryption. But it's already here, and just about everyone has an email address and is using it every day. We can roll out security fixes as much as we like to make our technology more secure, but we can't patch the bug in people's brain which makes them click on a fake invoice attachment, or open a craftily socially-engineered link.”

Nothing new under the Sun

Yes the human error thing. So are we perhaps over estimating the cyber criminals, giving them more credit than they deserve in terms of sophistication? If it’s just a matter of human error then perhaps the cyber criminals are beatable?

“The truth is that the majority of attacks people encounter are not revolutionary,” adds Cluley. “They're just variations on the same malicious email attachment/dodgy link that we have seen time and time again over the last 20 years. The typical criminal doesn't need to reinvent the wheel because the old attacks continue to work so well.”

As if to drive home the point, last month Gugi, a bank account raiding trojan, was reported to have sidestepped the latest Android 6 security features. Although not a bog standard hack, the premise is the same. Plant a bit of malware via email and let it work its way across connected devices. Simple; so simple in fact that the rate of malware is increasing and at an increasing rate.

“It is possibly the fastest form of attack,” says Woodward. “It is easy to do and the return is terrific, so criminals love it.” So what should businesses do to protect themselves? An obvious point of course is making sure the relevant security software is in place and importantly, is kept up to date. The same goes for all software drivers and versions of operating systems.

“Educate users not to open files that they are not expecting,” says Woodward. “Practice your ABCs – Assume nothing. Believe no one, and Check everything should be drummed into users – personally I preach ABCD - if in any doubt Delete.”

Part of the education is also preparation for when things go wrong. Some malware will get through, whether it’s ransomware that can be launched from macros and even JavaScript on webpages or Trojans unleashing viruses and spyware via email. At some point the law of averages says a business will be hit, so preparing staff is essential to ensure damage limitation. Backup policies should be in place, as well as quick reporting procedures.

Woodward adds that businesses should think of this in the same way they would think of contingency planning for other eventualities.

“Incident management and response are specialisations so if you need to, get some external help, but do that at the planning stage and don’t leave it until you are attacked,” he says. And if the ransom demand comes?

“I would stress that you should never pay the ransom – despite what some high profile organisations have done it is the slippery slope,” he says. “The moment you pay you will end up on a “suckers” list and even if the same criminals don’t target you again some of their delightful colleagues will.”

It’s a heavy price to pay. Speaking at the CBI Conference in September, Matt Hancock, Minister for Digital and Culture bigged-up the Government’s Cyber Essentials scheme and outlined the scale of the threat facing businesses in the UK.

“Businesses are being attacked for their finances, their intellectual property, their customer data,” he said. “Our latest research shows one in four of all businesses experienced a cyber breach or attack in the past 12 months. A quarter of large firms are hit at least once every month. That impacts not only on their cash flow - the cost of individual attacks can be enormous - but on their brand and reputation.”

We get the point. Cyber-attacks are a complete pain and should be taken seriously but businesses are surely not stupid enough to forego security measures? In this age of increased threats and attacks, email is still the main means of delivery. That must say something about how businesses treat cyber security and in particular how staff, regardless of whatever good intentions they have will always be a potential door to the network. ®