Email is one of the most common attack vectors against an organization. Email is widely used and a part of critical functionality for employee performance. It’s also one of the best ways for an attacker to get malware on the network. While email security is usually well adopted within an organization, security training for personnel is not.
According to Infosecurity Magazine, most companies have email security installed and configured, but they don’t have any secondary backup system or the training needed to deal with any attacks that get through.
Email security has gone beyond just filters and junk boxes. Attackers are targeting specific personnel with either a link to a malicious site or malware attached (spear phishing). Instead of bulk emailing dozens of employees, attackers are taking a more direct approach towards high level personnel such as executives, financial managers and HR personnel. Low level filters might block bulk emails, but they don’t always catch targeted attacks towards specific employees.
Phishing is becoming one of the biggest threats to an organization, so as IT departments push aside security investments, attackers find better ways to access the internal organization using email as the vector. If the attacker sends 10 emails to employees and only one is able to make it to the inbox and trick the user, the attacker can successfully steal data and even access the network using legitimate credentials. It can take months before the organization is alerted of an inside threat , which can lead to accumulated and expensive data theft.
Another interesting fact uncovered in the article is that 63% of IT professionals felt unprepared for future attacks even though they had been attacked before. This means that they had been through an attack, mitigated it, and were able to recover. However, they still felt vulnerable to attacks and future threats.
What comes out of the report is that IT managers have email security, but they don’t have the required training and preparedness to defend against a successful attack. They also did not have the awareness training beyond simple level email security and configurations. Should an attack occur, they would feel vulnerable and unable to respond quickly. This is where it becomes crucial that you establish an immediate bridge with your email security provider – they become your contingency partner ready to restore and remove/prevent future threats.
IT managers that felt better prepared for any future email threats also allocated much higher budgets for email security. These managers allocated 50% more budget than organizations with weaker threats. These systems were generally safer and less vulnerable to current and future attacks than systems that had low level, weak mitigation security.
The report shows that more companies need to provide better security awareness for professionals and add better preparedness to current security systems. Just one successful attack can cost companies millions in damage. The damage to brand reputation is even worse. With better, stronger email security, the organization is much more prepared to deal with effective attacks.