Security / Compliance

National Cyber Security Month 2019 week 1 - Email is the largest single attack vector on the planet

By / September 26, 2019

National Cyber Security Awareness Month

This week kicks of National Cyber Security month (NCSAM). NCSAM is a collaborative effort between government and industry, to raise awareness about the importance of cyber security, and to ensure that all Americans have the resources they need to be safer, and more secure online. With that said, i'll be covering hot security topics every week this month, starting with the single largest attack vector on the planet, email.


Confidence in defenses throughout business is falling.

Email attacks are on the rise and they’re not just affecting the bottom line. They’re also causing disruption for the team members responsible for preventing them. Attacks of all types, including phishing, impersonation and insider threats, are increasing across the board with no end in sight. It’s no surprise that IT decision-makers are losing confidence in their organization’s ability to prevent the worst.

61% of respondents to a 2019 Vanson Bourne survey, believe that suffering a negative business impact from an email-borne attack is either likely or inevitable. This is a jump from 58% a year ago. What’s more concerning is that nearly 1 in 10 stakeholders feel it’s inevitable that their organizations will suffer a negative business impact from an email-borne attack in the near future.

Impersonation/business email compromise and phishing attacks: rising and worsening

Security breaches in headlines, is almost a regular occurrence now. In the previous 12 months alone, 67% of organizations said they saw the volume of impersonation attacks increase, and 73% of impersonation attack victims experienced a direct resulting loss. With the strong likelihood of losses, it’s no wonder confidence is taking a hit. And because these highly-targeted attacks can tend to focus on key, C-level personnel, they can be incredibly embarrassing for victims. These breaches put a spotlight on the negative actions of an employee or, worse yet, an executive of the company.

As for phishing attacks, it is becoming more a matter of when, rather than if organizations will face them. The Vanson Bourne survey results show that 94% of respondents experienced a phishing attack in the previous 12 months, while 54% also saw this type of attack increase. Specifically, 45% of organizations saw an increase in targeted spear-phishing attacks with malicious links.

Social engineering

Social engineering-heavy attacks are a significant concern for organizations, because they’re often one of the most difficult types of breaches to control. With the vast majority preying on human psychology, it doesn’t take much more than a cleverly-spoofed email, or a damaging text message, to trick even the most skilled team member.

Internal email threats and data leaks

Internal threats and malicious activity residing within an organization continue to be a major problem. Of those surveyed by Vanson Bourne, 71% were hit by an attack where malicious activity had spread from one infected user to other employees in the last 12 months, up from 64% a year ago. The biggest culprit: infected email attachments, which 47% of organizations reported seeing spread. Next up was infected URLs via email at 40%.

Overall, internal threats and data leaks were rising as well, with 41% of respondents noting an increase. This could be why many aren’t confident their email security systems can handle internal threats either. Approximately one-third of respondents surveyed felt their email security systems fell short in monitoring, and protecting against email-borne attacks, or data leaks in both internal-to-internal, and outbound emails, as well as automated detection and removal of malicious emails that had already landed in employees’ inboxes.


Consider third-party risk.

When organizations choose a business partner, they need to be just as concerned about the business partners security, as they are about their own. 88% of IT decision-makers saw email based spoofing of business partners or vendors in the previous 12 months, and over 41% of organizations have seen this issue increase with attackers looking to gain access to money, sensitive intellectual property, or login credentials.

The best defense

The best defenses are awareness, training, and of course, robust software security systems. Great software systems are easily found, it's the employee awareness training that often alludes most organizations. When every employee in an organization, regardless of title, understands that they play a key role in security success, things begin to change for the better. These cultural shifts are not only positive reminders that each team member is a vital part of the process, but they’re key to improving the overall security posture of any organization.

Resources

Business, UAE. “Mimecast Research Finds 75% of Organisations in UAE Saw an Increase in Impersonation Attacks.” UAEBusinesscom, 31 May 2019, uaebusiness.com/2019/05/31/cyber-security-companies/.