Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.
Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.
Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.
Employees Still Lack Security Awareness
Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.
A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.
Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.
When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.
How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.
The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.
20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.
How to Improve Defenses Against Email Attacks
Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.
Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.
Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.
A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.