Why
email
security
Threats
to
email
security
are
on
the
rise.
Research
conducted
for
Cyber
Security
Hub’s
Mid-Year
Market
Report
2022
found
that
75
percent
of
cyber
security
practitioners
think
that
email-based
attacks
such
as
phishing
and
social
engineering
are
the
‘most
dangerous’
cyber
security
threat
to
their
organizations.
Companies
must
protect
this
vulnerable
asset
without
compromising
its
efficiency
in
communication.
Email
security
is
integral
to
protecting
companies
from
external
threats
but
also
essential
to
protecting
a
brand’s
customers
from
outbound
threats
such
as
phishing,
data
breaches
and
business
email
compromise
(BEC).
Without
sufficient
email
security
strategies,
companies
open
themselves,
their
clients,
and
their
customers
to
the
consequences
of
cyber
security
incidents.
Threats
to
email
security
not
only
encompass
attacks
from
bad
actors
but
the
internal
function
of
the
company.
Research
from
Stanford
University
found
that
88
percent
of
all
data
breaches
are
due
to
an
employee
mistake,
meaning
companies
must
be
hypervigilant
when
training
their
employees.
This
training
should
take
place
in
an
easily
accessible
format
so
that
information
is
easily
retained
by
employees
and
future
mistakes
are
avoided.
This
threat
to
the
internal
workings
of
a
company
can
also
led
to
further
damage
to
its
brand
if
not
dealt
with
swiftly
and
effectively.
Even
long-time
customers
may
lose
faith
in
organizations
if
they
feel
they
are
unable
to
trust
in
their
cyber
security
strategy,
especially
when
their
personal
data
is
on
the
line.
In
this
article,
Cyber
Security
Hub
provides
guidance
on
how
to
implement
excellent
email
security
and
make
sure
your
employees
understand
its
importance.
The
vulnerabilities
caused
by
weak
email
security
Overlooking
email
as
a
security
risk
is
a
dangerous
oversight
for
any
organization.
In
2020,
professional
services
network
Deloitte
reported
that
91
percent
of
all
cyber-attacks
began
with
a
phishing
email.
There
are
a
number
of
threats
poor
email
security
present,
ranging
from
social
engineering
attacks,
phishing
and
account
compromise
to
takeover
and
data
theft.
Phishing
attacks
can
target
users’
passwords
and
accounts
that
could
contain
sensitive
and
valuable
customer
information.
Credential
theft
is
also
a
risk
as
employees
may
reuse
passwords
for
multiple
different
platforms
across
their
business
and
personal
life,
weakening
a
business’s
security
if
any
of
these
accounts
are
compromised
or
exposed
during
a
data
breach.
Djon
Ly,
digital
marketing
manager
at
money
service
operator
Statrys,
says
that
there
is
no
reliable
way
for
businesses
to
manage
passwords
or
ensure
that
employees
regularly
change
their
passwords.
Social
engineering
and
sophisticated
hacking
techniques
can
make
it
difficult
for
employees
to
correctly
identify
fraudulent
emails,
Ly
notes,
even
if
an
organization
has
email
protection
or
holds
regular
security
training.
“Frequently,
phishing
emails
will
ask
recipients
to
reset
passwords
or
log
in
to
a
fraudulent
account
website
in
order
to
harvest
credentials.
Even
if
an
organization
has
email
protection
and
regular
security
training,
it
can
be
very
difficult
for
users
to
determine
whether
or
not
an
email
is
fraudulent,”
she
explains.
Muhammad
Babamia,
IT
internal
audit
specialist
for
cyber
security
and
data
and
analytics
at
South
African
investment
holding
company
Transaction
Capital,
agrees,
stating:
“The
greatest
risk
to
email
security
are
careless
employees.
“People
are
the
weakest
link
from
a
cyber
security
perspective,”
he
adds.
“This
is
especially
true
in
terms
of
email
security.
While
email
configuration
and
security
layers
aid
in
reducing
email-related
breaches,
they
remain
in
place
in
some
form
of
reliance
on
diligence
of
humans.”
When
it
comes
to
email
security,
while
the
best
software
measure
may
be
put
in
place,
true
email
security
also
hinges
on
employees’
abilities
to
understand
why
and
how
the
company
may
be
attacked
via
email,
and
what
to
do
in
the
case
of
a
compromise.
“People
are
the
weakest
link
from
a
cyber
security
perspective
–
this
is
especially
true
in
terms
of
security.”
Muhammad
Babamia,
IT
internal
audit
specialist
at
Transaction
Capital
The
consequences
of
phishing
campaigns
can
be
devastating
for
businesses.
In
2014,
Sony
Pictures’
employees,
including
system
engineering
and
network
administrators,
were
targeted
with
fake
emails
that
looked
like
legitimate
communications
from
Apple,
asking
them
to
verify
their
Apple
ID
credentials.
By
clicking
on
the
link
provided,
employees
were
taken
to
a
legitimate-seeming
webpage
that
required
them
to
input
their
login
details.
As
these
emails
were
targeted
at
those
who
would
most
likely
have
access
to
Sony’s
network,
these
details
were
then
used
to
hack
into
its
network.
The
spear
phishing
campaign
led
to
multiple
gigabytes
of
data
being
stolen
including
business-related
content,
financial
records,
customer-facing
projects,
and
digital
copies
of
recently
released
films.
The
hack
cost
Sony
an
estimated
US$15mn.
Kym
Welsby,
regional
director
for
APAC
at
Clearswift,
a
HelpSystems
company,
notes
that
one
of
the
main
issues
with
ensuring
email
security
is
that
email
was
designed
with
no
security
functionality
from
its
outset.
“[Email
having
no
security]
was
the
secret
of
its
success.
This
was
fine
when
relatively
fewer
people
were
using
it
to
contact
people
they
knew
only,
but
with
its
expansion
people
no
longer
know
who
is
contacting
them,”
Welsby
explains.
As
employees
within
a
business
will
be
used
to
people
from
outside
the
company
contacting
them,
as
well
as
speaking
to
people
they
do
not
know
in
a
business
capacity,
this
can
make
them
less
wary
of
potentially
dangerous
or
fraudulent
emails.
There
are
a
number
of
threats
when
it
comes
to
email
security,
from
direct
attacks
on
employees
through
phishing
campaigns
or
social
engineering
to
a
lack
of
security
functionality
in
email.
In
the
next
section
of
this
report,
we
will
explore
how
to
combat
these
threats.
having
no
security]
was
the
secret
of
its
success.
This
was
fine
when
relatively
fewer
people
were
using
it
to
contact
people
they
knew
only,
but
with
its
expansion
people
no
longer
know
who
is
contacting
them,”
Kym
Welsby,
Regional
director
for
APAC
at
Clearswift,
a
HelpSystems
company
Ensuring
email
security
within
your
business
Email-based
attacks
like
phishing
and
social
engineering
that
directly
target
employees
within
a
business
can
have
devastating
consequences
for
businesses,
with
three
in
four
cyber
security
professionals
surveyed
for
Cyber
Security
Hub’s
Mid-Year
Market
Report
2022
stating
these
attacks
are
the
‘most
dangerous’
threat
to
cyber
security.
These
attacks
directly
target
employees
inside
a
business,
placing
the
responsibility
for
ensuring
the
attack
does
not
progress
in
their
hands.
Additionally,
these
attacks
often
rely
on
psychologically
manipulating
employees.
They
can
be
very
effective
in
convincing
employees
to
act
in
ways
they
would
not
usually,
even
if
they
have
had
security
training.
The
effectiveness
of
phishing
attacks
may
rely
on
how
effectively
employees
can
evaluate
whether
an
email
is
safe.
This
can
be
an
issue
if
employees
do
not
pay
attention
to
cyber
security
training.
Clearswift’s
Welsby
explains
that
this
complacency
in
this
task
may
be
due
to
a
misconception
from
those
within
a
business
that
their
antivirus
or
antimalware
software
is
sufficient
to
block
any
and
all
threats.
As
antivirus
software
can
only
stop
and
prevent
known
threats
such
as
malware
or
ransomware,
however,
if
a
breach
attempt
involves
a
new,
unknown
file
or
URL,
it
may
not
be
able
to
block
an
attack.
Ensuring
good
cyber
security
within
businesses
requires
employees
to
be
engaged
with
their
training
so
they
are
better
able
to
retain
the
information
and
use
it
at
a
later
date
when
they
do
come
across
cyber
security
threats.
How
to
engage
employees
with
email
security
In
a
discussion
between
Cyber
Security
Hub’s
Advisory
Board,
one
member
suggested
that
linking
email
security
to
a
company’s
universal
goals
was
very
beneficial.
This
involves
conducting
multiple
phishing
tests
throughout
the
year,
with
the
score
of
said
tests
affecting
a
businesses’
bottom
line.
This
is
because
phishing
attacks
have
an
indirect
influence
on
a
company’s
bottom
line.
Cyber-attacks
cost
a
lot
of
money,
meaning
if
a
cyber-attack
occurs,
companies
will
lose
money
in
operations
costs.
Additionally,
cyber-attacks
may
lead
customers
to
lose
trust
in
a
company
and
take
their
business
elsewhere,
leading
to
an
overall
drop
in
revenue.
With
bonuses
directly
linked
to
profit,
financially
motivated
employees
should
be
more
diligent
in
not
clicking
on
potentially
dangerous
links,
as
their
good
behavior
is
reinforced
and
rewarded.
Also
read:
Strenghthen
security
&
protection
against
ransomware
attacks
Jorel
Van
Os,
chief
information
security
officer
at
insurance
company
Acrisure,
suggests
companies
can
better
engage
their
employees
by
employing
the
use
of
short-form
video
content
using
real-life
case
studies
as
examples.
“[The
videos
are]
a
testimonial,
with
an
actor
reenacting
real
case
studies,”
Van
Os
remarks.
“I
think
that’s
a
good,
compelling
way
to
[train
employees].
“They
are
one
to
two
minutes
each,
he
explains.
“We
did
a
micro-survey
on
the
videos
in
terms
of
length
of
content,
effectiveness
of
content
and
delivery
of
content,
and
we
got
4.8
out
of
five
stars
out
on
across
hundreds
or
thousands
of
people
that
rated
it.”
One
such
example
is
a
testimonial
from
an
actor
posted
on
LinkedIn
entitled
‘My
LinkedIn
post
cost
my
company
a
fortune’.
In
the
testimonial,
the
actor
explains
that
someone
posing
as
a
recruiter
enticed
him
into
communicating
with
them
first
through
comments
on
his
LinkedIn
posts,
then
via
messages
with
a
lucrative
job
offer.
The
faux
recruiter
built
a
relationship
with
him,
and
finally
sent
him
a
PDF
which,
supposedly,
contained
the
job
offer.
Instead,
it
contained
only
a
cover
letter
and
two
blank
pages.
When
the
actor
reached
out
to
the
supposed
recruiter,
they
explained
that
it
was
a
secure
file,
and
prompted
him
to
download
and
install
a
secure
PDF
reader.
When
this
still
did
not
work,
the
actor
contacted
the
recruiter
again,
but
the
recruiter
did
not
respond
to
any
of
his
messages.
He
dismissed
this,
but
weeks
later
there
was
a
data
breach
at
his
company
that
cost
the
company
millions
of
dollars.
The
breach
was
traced
back
to
him,
as
the
PDF
reader
had
actually
contained
malware
that
was
used
to
level
an
attack
against
the
company.
The
actor
explains
that
job
scam
attacks
are
becoming
more
prevalent
as
people
are
expected
to
communicate
with
strangers,
and
download
the
attachments
sent
to
them.
Van
Os
says
that
by
doing
this
companies
can
help
employees
realize
that
they
are
involved
with
the
email
security
of
a
business,
as
well
as
offering
them
a
framework
of
what
to
do
during
a
cyber
security
incident.
It
can
also
provide
them
with
tips
of
what
to
look
for
in
potentially
malicious
communications.
Companies
can
employ
other
tactics
to
keep
employees
engaged,
says
Transaction
Capital’s
Babamia.
“Traditional
‘death
by
PowerPoint’
presentation
styles
often
lead
to
bored
and
inattentive
learners,”
Babamia
remarks.
“Organizations
need
to
ensure
that
participants
are
engaged
through
various
means
of
learning
such
as
gamified
learning
and
the
use
of
incentives
to
promulgate
better
learning.
“Simulated
phishing
attacks
are
a
great
way
to
pick
out
unaware
employees.
With
scare
tactics
in
mind,
employees
should
be
more
focused
to
ensure
that
the
consequences
of
their
actions
do
not
lead
to
a
severe
breach
of
the
organization’s
information
security,”
he
notes.
Ensuring
email
security
beyond
employees
In
terms
of
ensuring
email
security
beyond
training,
Clearswift’s
Welsby
notes
that
a
layered
solution
is
best,
as
there
will
need
to
be
different
controls
to
respond
to
different
threats.
He
recommends
combining
content
protection
like
structural
sanitization
–
removal
of
active
content
within
the
email
body
and
attachments
and
removal
or
rewriting
URLs
to
go
through
a
different
web
browser.
Identity
protection
is
particularly
important,
as
social
engineering
and
phishing
attacks
often
rely
on
posing
as
someone
with
authority
within
the
business.
By
looking
for
the
good
senders
rather
than
preventing
the
bad,
this
allows
software
to
identify
and
block
bad
actors
post-delivery,
preventing
the
spread.
Kemas
Ohale,
head
of
global
information
security
operations
at
manufacturer
of
pneumatic
control
devices
SMC
Corporation,
notes
that
using
an
email
security
solution
that
combines
the
power
of
threat
detection
artificial
intelligence
(AI)
or
machine
learning
(ML)
with
the
power
of
the
human
to
form
a
complete
solution
can
be
“highly
effective”
in
keeping
organizations
safe.
“AI
or
ML
cannot
do
it
alone
and
neither
can
humans,”
Ohale
remarks.
“Combining
the
two
into
a
single
solution
and
reducing
the
load
on
our
security
team
through
extensive
automation
is
the
optimal
way
to
ensure
inboxes
are
as
secure
as
they
can
be.”
Email
security
can
be
ensured
by
engaging
with
employees
and
showing
them
how
cyber
security
is
inherently
tied
into
their
job.
Beyond
this,
companies
must
engage
defense
strategies
including
email
authentication
protocols
such
as
DMARC,
structural
sanitization
and
the
use
of
AI
or
ML
to
help
detect
and
neutralize
threats
to
protect
the
email
system.
In
the
next
section,
this
report
will
discuss
the
importance
of
email
security
in
protecting
your
brand.
How
email
security
can
protect
your
brand
Email
security
is
not
just
important
for
internal
data
safety,
but
for
a
company’s
external
brand.
Bad
email
security
can
affect
customers
in
multiple
ways,
from
exposing
their
personal
information
to
causing
them
to
see
a
brand
as
less
secure
or
trustworthy.
Clearswift’s
Welsby
notes
that
while
most
people
think
email
security
is
about
protecting
their
organization
from
threats,
companies
also
need
to
protect
their
outbound
emails
and
tell
customers
and
clients
to
reject
messages
that
are
not
from
the
company.
Welsby
explains
that
while
using
DMARC
authentication
to
detect
and
prevent
email
spoofing
techniques
used
in
phishing,
business
email
compromise
(BEC)
and
other
email-based
attacks
seems
easy
in
principle,
it
can
be
complicated
–
especially
for
large
organizations.
“We
have
had
clients
use
applications
to
allow
others
to
send
emails
on
their
behalf
and
had
one
organization
that
found
it
was
using
200
more
email
applications
than
it
realized
it
was
using,”
says
Welsby.
“As
it
was
a
big
retail
brand
with
many
custom-built
applications
and
service
providers
sending
emails
on
its
behalf,
it
took
two
years
to
establish
the
use
cases
[for
email
applications
to
send
emails
on
their
behalf].
“Brand
protection
makes
it
easier
for
brands
to
establish
who
they
are
and
what
services
they
use,”
he
adds.
Transaction
Capital’s
Babamia
notes
that
as
largerscale
attacks
may
lead
to
high-sensitivity
email
disclosure,
should
attackers
leak
highly
confidential
information
to
the
public,
which
can
affect
trust
in
a
company.
If
this
trust
is
broken,
customers
may
leave
the
company
and
use
a
competitor
instead,
leading
to
a
potential
drop
in
revenue.
Customers
can
lose
trust
in
brands
when
they
believe
they
are
not
appropriately
securing
their
data,
leading
to
concerned
customers
to
switch
to
different
brands.
By
ensuring
that
both
employees
are
fully
engaged
with
and
retain
information
from
training,
and
that
there
is
a
robust
email
security
solution
in
place,
companies
can
put
themselves
in
a
better
place
to
identify
and
mitigate
cyber
security
incidents.
“Brand
protection
makes
it
easier
for
brands
to
establish
who
they
are
and
what
services
they
use.”
Muhammad
Babamia,
IT
internal
audit
specialist
at
Transaction
Capital
Final
remarks
There
are
a
number
of
threats
to
email
security
that
employees
must
face.
The
most
dangerous
of
these
are
social
engineering
and
phishing
attacks,
as
they
directly
target
employees
and
can
have
potentially
devastating
consequences
for
their
company.
Email
security
is
fundamentally
reliant
on
employees
being
vigilant
against
potential
inbound
attacks.
In
order
to
ensure
all
employees
are
in
the
best
place
to
recognize
and
not
engage
with
malicious
emails,
companies
must
take
into
consideration
the
way
they
are
educating
their
employees
in
regard
to
cyber
security.
Using
more
engaging
techniques
like
shorter
videos,
relating
the
content
to
themselves
as
employees
or
using
a
rewards-based
system
can
help
engage
employees
better,
meaning
they
are
in
a
better
position
to
ensure
email
security.
Additionally,
companies
should
ensure
that
they
have
robust
security
in
place,
including
the
use
of
structural
sensitization
and
identity
protection
like
DMARC.
By
using
these
methods,
companies
can
ensure
that
phishing
attacks
are
less
successful,
as
URLs
can
be
deemed
as
safe
before
they
are
clicked
on,
and
malicious
actors
who
attempt
to
pose
as
higher-ups
in
the
company
during
social
engineering
or
phishing
attacks
will
be
less
likely
to
succeed.
By
doing
this,
companies
can
protect
their
employees
and
the
business
itself
from
cyber
criminals
and
in
bound
threats,
while
protecting
clients
and
customers
from
outbound
threats.
By
communicating
these
efforts
with
clients
and
customers,
they
can
build
trust
in
their
cyber
security,
and
prevent
a
loss
of
trust
if
a
cyber
security
incident
happens
as
if
customers
feel
their
data
is
not
adequately
protected,
they
may
leave
a
business
and
take
their
custom
elsewhere.
How
do
you
maintain
good
email
security
to
strengthen
your
business
model?
Please
let
us
know
in
the
comments
section
below.
About Author
