Rick Jones, CEO, DigitalXRAID
Email is often the main communication tool across organisations, but it is also one of the largest security threats, with phishing attacks connected to 36% of data breaches in 2021.With this in mind, businesses desperately need to both educate their employees and invest in the technology that can protect their corporate network. But who is responsible for ensuring risks are mitigated? And how exactly can businesses empower their workforce to stay safe?
A rise in attacks
Whilst there has been an uptake in the use of collaboration tools such as Microsoft Teams, the volume of emails sent and received by organisations is substantially higher than before COVID-19. Businesses are also under attack as never before, a trend the pandemic only accelerated with the move to remote working. In fact, a recent report revealed that attackers are operating more strategically, by timing malicious emails to coincide with the “afternoon slump” and hit employees when they are at their least attentive. It is techniques like this that should act as a reminder for firms to remain vigilant and reinforce the importance of good cyber hygiene to ward off future attacks.
Who takes responsibility for email security?
One main cause of data breaches is negligent employees, and this issue often stems from a lack of education. Establishing training programmes for all employees, so they understand how to spot and react to a malicious email, is therefore an essential step in creating a strong cybersecurity environment. Occasional mistakes are to be expected when there is human intervention, which is why firms should prioritise cyber defence strategies that take accidents (and their recovery processes) into account.
As cybersecurity threats can occur daily, network protection needs to be a concern for all departments. Often the onus is on IT departments to be responsible for keeping track of email activity, but the reality is very different; good email hygiene should be a key consideration for all employees. And whilst IT teams can educate employees on important security updates, it is equally the role of management to raise concerns and incorporate cybersecurity into their regular team meetings. IT leaders must be proactive in their approach to the evolving risk landscape, but their insights must be shared and actioned by all teams if a company is to limit the chance of a data breach.
The top-down approach
Organisations should view cybersecurity as part of their top-level leadership strategy. While education needs to span the entire company, investment in protective technologies and awareness of phishing campaigns must originate from the top and travel down from the boardroom, feeding into each department. Smart leaders know that COVID-19, though unique, is not the last disaster firms will face. Boardroom executives should therefore be involved with all cybersecurity decision-making early onto ensure they are prepared for future challenges. And investing in the appropriate technology to combat attacks must be a priority. Introducing Managed Security Services to test an enterprise’s vulnerability to phishing, alongside Firewalls, SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) solutions, will all complement the staff education programmes. Yet this is only possible with board buy-in.
A Zero Trust framework
Companies can weaken their cybersecurity posture by allowing their distributed workforce complete freedom within the internal network. Yet a Zero Trust approach assumes every asset, device or user is a potential threat. It removes implicit trust, ensuring malicious actors cannot access a network through hacking a privileged user’s account, ultimately reducing vulnerabilities and creating a stronger security posture across the company.
Helping employees see the value in adopting a security-first mindset is critical for firms looking to improve their email hygiene, and Zero Trust can be a great foundation to a more security-focused culture. From here, further cyber processes can be integrated and welcomed by a more cyber-aware workforce. This can eventually lead to the implementation of a Security Operations Centre (SOC) that monitors networks day and night. Only then will business leaders get complete peace of mind knowing they are taking every precaution against the evolving threat scape.
Firms need to prioritise building a culture of training and recognise that cybersecurity is very much a human issue. The organisations who successfully do this will considerably reduce the risk of data breaches via phishing campaigns and cultivate an environment in which employees understand how their actions can compromise their organisation.