Often it can be tempting to try to shave costs or expenses by going for the best value within a solution. In many cases, dropping features or add-ins with particular products can save money with little downside, but in the case of security, many IT admins and MSPs try to apply this methodology by implementing selective protection only their highest-value users with high-end security tools.
In the end, this choice – while potentially due to an attentional bias that is always devoted to top decision-makers within an organization – can ultimately end up costing you more and making you less likely to achieve your desired result of effectively protecting these users.
Specific to this, there are many companies we (and we’re sure others) interact with who seek to deploy Advanced Threat Protection or other features exclusively to their executive teams or another limited set of users. This is under the assumption that threats and solicitations only affect such users – not even the assumption that they might only disproportionately affect such users – and that not a dollar more need to be wasted in protecting users outside of core executives or particular departments.
While it’s understandable that these high-value targets are more likely to be targeted, selective protection doesn’t actually make them safer, and may make you more vulnerable with the assumption that they are safe and protected, leaving you less vigilant to threats as they do emerge. This means that selective protection is a universally bad choice for any organization, particularly in the case of email.
This isn’t the only reason selective protection is bad, as there are many specific reasons for this, including:
Your “Low-Authority” Users are the easiest Path to Your High-Authority Ones
A full 67% of targeted malware and phishing attacks are accounted for by first-line managers and individual contributors – not members of your C Suite. Cyber Criminals are crafty, and when they don’t hunt, they gather. This is an easy aphorism, but it has very real impacts on your organization. For instance, consider the case of Office 365 phishing – many organizations jump on the platform expecting to have total ease of use and security, but are surprised by the prevalence of security threats within its infrastructure.
Now, why should this worry you if you only want to protect high-authority users? Well, consider the possibility that one of your low-authority users gets compromised. After hunting out this account, a cyber criminal may seek to compromise any data or information held therein, and then upon having rooted out any such information, use the compromised account to then compromise other high-authority accounts within your organization.
In this case, you’ve paid for additional protection for your high-authority user, but have provided no additional assistance in protecting them – only a minor roadblock to a cyber criminal’s intent to compromise accounts and subsequently breach data, bark out orders, send out false orders or payment requests and more.
“Limited Aims” Protection Leaves Significant Gaps
Finding a heuristic or decision-making mechanism can be a difficult task for protection. Again, in the case of email, consider this: Is everybody on the executive team a high-authority user? Is everybody with authorization to pay or fulfill an invoice to the company? Anybody who participates in an interaction with a partner or significant client? Anybody who works as a contractor but has access to protected information, or information from which protected information can be inferred? Are any of your employee’s devices networked to the devices or others within the company?
All of the above are risks, and in most companies, at least one of these criteria will affect most of your users. Beyond that, of the employees excluded, what are the costs to the company when employees fall victim to malware on a personal device, or a gift-card related phishing scam? At this point, you’re not really saving anybody time or money – and you may simply be creating individual costs for members of your organization who are still needed to contribute.
You Are Underestimating the Value of Protecting all Users
Ultimately, any breach has costs that we can’t evaluate beforehand. Deloitte estimates that 90% of a cyber attack’s costs are unaccounted for by most businesses in their security analysis, and the sources of these costs can add up in the years (not months or days) after an attack. These could include:
- Customer Data Breach Notifications
- Post-Breach additions to Protection
- Regulatory compliance – either through fines or time-consuming oversight
- Crisis communications and recovery costs
- Attorneys’ fees and litigation
- Additional cybersecurity improvements or restructuring to compensate for the costs of a successful attack
- Technical investigations and new reporting mechanisms
- Insurance premium increases
- Increased costs to raise debt
- Operational disruption
- Burning of customer relationships
- Lost contract revenue
- Diminishment or overall brand value or reputation
- Loss of propriety information or intellectual property
With all these possibilities difficult to quantify, why would you ever leave an open door anywhere that you don’t absolutely need to?
With the aforementioned reasons in mind, when deciding how to best protect your organization, please don’t consider selective protection for your highest-authority users (or at least the ones who are most likely to complain about a spam or phishing email). If you’re doing it to cut cost, you may learn in this case that it can be “awful expensive to be cheap”.
modusCloud is a powerful cloud email security solution built to protect your organization at the gateway. With phishing protection, URL and attachment defense and more features that stop Advanced Threats, modusCloud can ensure you’ll usually be safe, and rarely be sorry!