It seems like only yesterday that the biggest cyber threat a business had to worry about was the theft of credit card information or physical equipment. In fact, it was only a few years ago when that was the case. Cyber threats were initially a question of network security and data privacy focused on finance and retails sectors; that’s no longer the case.
Hackers are adapting to their environment, creating tools and workarounds that both exploit existing vulnerabilities and leverage modern weaknesses to infiltrate personal and business networks. Today, the main source of weakness for organizations is email; in fact, 94% of data breaches start with an e-mail. While the Nigerian prince or 419 scams are often thought of as a benchmark for everyday scams, this isn’t always the case. It’s paramount to understand that attackers have evolved, and now we must adapt.
We believe there’s been three versions of Email security evolution.
V1.0 – Basic E-mail Hygiene, Virus protection & Spam (2009)
The most notable example of this is Stuxnet. The US government finding out that Iran was close to producing Nuclear grade weapons. They sent a series of spam emails containing malicious content that destroyed a fifth of Iran’s nuclear centrifuges in 2009, seriously hindering the country’s atomic plans. This was estimated to have put the program back 7 years
V2.0 – Advanced Targeted attacks, Phishing, Malware & Ransomware (2014)
Fast forward to 2014 and phishing and targeted attacks are becoming more the norm. These advanced targeted attacks are sly; they dupe individuals into revealing sensitive information like login credentials, personal data, or financial information. Some email threats impersonate high-level executives to trick employees with financial access into making a bank or wire transfer to a fraudulent account.
V3.0 – Targeting human error & 3 zones of security (present)
At present, the most overlooked yet prevalent threat to email security is human error. 40% of people surveyed recently in a Mimecast study said that when opening an email, they clicked on the email attachment first before reading the e-mail content. This phase of email attack originates inside the business but more importantly, can extend to the three zones:
Zone 1 – The perimeter Spam, Viruses, DLP.
Zone 2 – Internal Systems (Inside the perimeter)
Zone 3 – Beyond the perimeter – Global threat intelligence, Protect owned domains as well as unowned domains
Protection starts with awareness
Human error is involved in more than 90% of security breaches, according to a thorough 2017 study by IBM and the Ponemon Institute. Most of us don’t think much about human error, but when it comes to high-profile security incidents that cause big trouble, it’s absolutely key.
Having robust security measures in place is only part of the solution. Human error has three primary components: lack of knowledge, lack of attention, and lack of concern. As business owners, it’s imperative you’re raising employee awareness to these components as well as ensuring you’re equipped to deal with an attack.