Email security: We CAN fix the tech, but what about the humans?

From Michelangelo to ransomware

The human factor

Nevertheless tech can only do so much.

As Woodward says, it only takes one or two to get through and cause havoc. Throw in the fact that cloud-based email services are growing and you can see potential for greater damage if businesses don’t act. Research firm Gartner reported earlier this year that even worldwide enterprises are seeing increased use of cloud email services, noting that 13 per cent surveyed claimed to have cloud-based email. This will only increase although maybe not at the rate Microsoft is predicting. So what impact if any will this have on security?

“The risk with cloud-based email is the same as one of its major benefits - it's easily accessible from anywhere in the world,” says security expert blogger and analyst Graham Cluley. “If users have chosen a weak password, or made the mistake of reusing a password across different sites, then it won't be an enormous surprise if their webmail is targeted by an online criminal. To reduce the chances of such an attack being successful, webmail users should enable additional security measures (such as 2FA). And obviously, stop re-using passwords or choosing weak, easy-to-crack passwords.”

Will we ever get to a point where email is no longer a major vehicle for security threats or is it just a case of as long as email is popular; it will always be a target because users will always make mistakes?

“It’s inevitable that people will click – curiosity and the desire to help are human nature,” says Proofpoint’s Diamond.

“I think email will continue to be one of the major vectors of online attack for years to come,” says Cluley. “If email were invented today it would be laughed out of the room, because of its inherent lack of security features such as encryption. But it's already here, and just about everyone has an email address and is using it every day. We can roll out security fixes as much as we like to make our technology more secure, but we can't patch the bug in people's brain which makes them click on a fake invoice attachment, or open a craftily socially-engineered link.”

Nothing new under the Sun

Yes the human error thing. So are we perhaps over estimating the cyber criminals, giving them more credit than they deserve in terms of sophistication? If it’s just a matter of human error then perhaps the cyber criminals are beatable?

“The truth is that the majority of attacks people encounter are not revolutionary,” adds Cluley. “They're just variations on the same malicious email attachment/dodgy link that we have seen time and time again over the last 20 years. The typical criminal doesn't need to reinvent the wheel because the old attacks continue to work so well.”

As if to drive home the point, last month Gugi, a bank account raiding trojan, was reported to have sidestepped the latest Android 6 security features. Although not a bog standard hack, the premise is the same. Plant a bit of malware via email and let it work its way across connected devices. Simple; so simple in fact that the rate of malware is increasing and at an increasing rate.

“It is possibly the fastest form of attack,” says Woodward. “It is easy to do and the return is terrific, so criminals love it.” So what should businesses do to protect themselves? An obvious point of course is making sure the relevant security software is in place and importantly, is kept up to date. The same goes for all software drivers and versions of operating systems.

“Educate users not to open files that they are not expecting,” says Woodward. “Practice your ABCs – Assume nothing. Believe no one, and Check everything should be drummed into users – personally I preach ABCD - if in any doubt Delete.”

Part of the education is also preparation for when things go wrong. Some malware will get through, whether it’s ransomware that can be launched from macros and even JavaScript on webpages or Trojans unleashing viruses and spyware via email. At some point the law of averages says a business will be hit, so preparing staff is essential to ensure damage limitation. Backup policies should be in place, as well as quick reporting procedures.

Woodward adds that businesses should think of this in the same way they would think of contingency planning for other eventualities.

“Incident management and response are specialisations so if you need to, get some external help, but do that at the planning stage and don’t leave it until you are attacked,” he says. And if the ransom demand comes?

“I would stress that you should never pay the ransom – despite what some high profile organisations have done it is the slippery slope,” he says. “The moment you pay you will end up on a “suckers” list and even if the same criminals don’t target you again some of their delightful colleagues will.”

It’s a heavy price to pay. Speaking at the CBI Conference in September, Matt Hancock, Minister for Digital and Culture bigged-up the Government’s Cyber Essentials scheme and outlined the scale of the threat facing businesses in the UK.

“Businesses are being attacked for their finances, their intellectual property, their customer data,” he said. “Our latest research shows one in four of all businesses experienced a cyber breach or attack in the past 12 months. A quarter of large firms are hit at least once every month. That impacts not only on their cash flow - the cost of individual attacks can be enormous - but on their brand and reputation.”

We get the point. Cyber-attacks are a complete pain and should be taken seriously but businesses are surely not stupid enough to forego security measures? In this age of increased threats and attacks, email is still the main means of delivery. That must say something about how businesses treat cyber security and in particular how staff, regardless of whatever good intentions they have will always be a potential door to the network. ®

Broader topics

Narrower topics

Other stories you might like

  • Apple wins Epic court ruling: Devs will pay up for now as legal case churns on

    Previous injunction that ordered company to allow non-Apple payments systems is suspended

    Apple will not be required to implement third-party in-app payments systems for its App Store by 9 December, after a federal appeals court temporarily suspended the initial ruling on Wednesday.

    As part of its ongoing legal spat with Epic, a judge from the Northern District Court of California said Apple wasn’t a monopoly, but agreed it’s ability to swipe up to a 30 per cent fee in sales processed in iOS apps was uncompetitive. Judge Yvonne Gonzalez Rogers ordered an injunction, giving the iGiant 90 days to let developers add links or buttons in their apps to direct users to third-party purchasing systems.

    Those 90 days were set to end on 9 December. If developers were allowed to process financial transactions using external systems they wouldn’t have to hand over their profits to Apple, they argued. When Apple tried to file for a motion to stay, which would pause the injunction until it filed an appeal, Rogers denied its request.

    Continue reading
  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading

Biting the hand that feeds IT © 1998–2021