"64% of IT security professionals believe that email attacks pose a high threat to their organization..."
In a world defined by its uncertainty, at least one thing can be depended on: when just 24% of IT security professionals view their infrastructure as “extremely secure”, there's a nightmare waiting to happen – data breaches seem more a question of "when" than "if". But there are ways that you can significantly cut down on the risk they pose your organization.
The very first, and arguably most important step you can take to better protect your email communications is to educate your employees. There are a number of solutions available to protect your organization from cybersecurity threats, ranging from anti-virus software to firewalls, to email gateways. But the biggest point of failure in any organization is likely to be your employees. They're the ones handling all the sensitive data and deciding where it gets sent. If they make a mistake, all the Data Loss Protection software in the world won't help.
The Information Commissioner's Office has recently released a suite free of posters to help you combat the human error element.
Data loss over email becomes so much more difficult to tackle after it's already happened. Having a plan in place for what to do in the event that an employee does leak data over email is good; preventing the leak from occurring in the first place is so much better. Invest in technologies and platforms that will enable you to better understand how your employees communicate with each other, and people outside the organization.
McAfee's 2017 security prediction report Hard-to-Solve Security Challenges stated the possibility of:
- Business email compromise (BEC) scams duping decision makers into money transfers
- Spear-phishing as a gateway for APT for long-term espionage or data theft
- Increased targeting of "physical devices" such as mobile, workstations, and point-of-sale
- More malware via fake advertisements and other emerging methods
When all evidence suggests that this problem is only likely to grow, the question is not whether you respond, but how.
Protection is prevention: information security professionals should prepare for highly sophisticated, email-based attacks.
You know the drill: use encryption, be careful when using your corporate email account from public/shared computers, and don’t open emails from unknown sources. Getting the basics right is critical, as it will allow you to build an information security infrastructure on a great foundation. Most importantly, however, don’t let taking these steps lull you into a false sense of security.
When research suggests that the top worry for 45% of IT professionals is, in fact, internal, you have another battle on your hands.
Confidence comes hand in hand with capability. If you’re still using out-dated Exchange software, the extent to which you can guard against internal and external attacks is already inherently limited.
With this in mind, it comes as no surprise that confident IT security professionals are more than twice as likely to think that C-suite involvement in email security strategy is “very appropriate” – and 1.4x more likely to actually have that engagement.
In this way, our mistakes and negative experiences are, in fact, an opportunity – as exemplified by the fact that managers with recent, direct experience with an email hack/breach are more likely to have plans to migrate to Microsoft Office 365 in the next two years.
Discard the “if it isn’t broken, why fix it?” mentality: why wait until something goes wrong to implement much-needed change?
Corporate email now exists in an interesting space between work and home where it is not solely tied to employees' desks. Using email on the go, on various devices (laptops, tablets, smartphones) greatly increases the potential for mistakes. A data breach caused by a misdirected email could very easily occur when sending an email on a packed train, accidentally picking the wrong recipient from a "helpful" autocomplete list. Many email DLP platforms can only protect on a computer, or only within a certain client, use cases which need to be acknowledged and accounted for. It's important that you find a way of securing your email network regardless of how an employee accesses it.
As well as getting the basics right, it's a good idea to always be looking ahead. Information security platforms and techniques are constantly evolving. People are consistently producing amazing new ways of tackling threats and risks that had so far gone unsolved. Seek out the companies building cutting-edge new solutions and see if they're a good fit for your company.