Email is at the heart of modern business. It’s how we communicate with colleagues and stakeholders, and it’s therefore essential that lines of communication are secure.
A vulnerability in your email systems could lead to cyber criminals compromising sensitive information, resulting in a data breach.
Negligent employees also pose a risk. They are liable to accidentally email information to the wrong person, creating another opportunity for security incidents.
To mitigate these risks, organisations must ensure that they have effective email security processes in place. This includes the techniques that are used to secure email accounts against unauthorised access, data loss and outages.
Why you need email security
Email-based threats are among the most common that organisations face. According to Cisco’s 2021 Cybersecurity Threat Trends report, approximately 90% of data breaches result from malicious emails.
Meanwhile, Tessian research found that 58% of employees admit to having sent an email to the wrong person. If those emails contain sensitive information or attachments, the mistake will result in a data breach.
Cyber criminals can also exploit poor email practices. Proofpoint’s 2022 State of the Phish report found that 91% of UK organisations faced bulk email scams last year.
These attacks, known as ‘phishing’, can have wide-ranging consequences – with Proofpoint finding that the following were the most common:
- Breach of customer or client data (54%)
- Credential/account compromise (48%)
- Ransomware (46%)
- Loss of data or intellectual property (44%)
- Malware (27%)
- Reputational damage (24%)
- Widespread network outage or downtime (22%)
- Advanced persistent threat (18%)
- Financial loss or fraud (17%)
- Zero-day exploit (15%)
- Financial penalty (11%)
But it’s not simply that email-based security threats are an ever-present problem; it’s that it’s getting worse. Proofpoint’s research found that the number of successful email-based cyber attacks increased from 57% in 2020 to 83% in 2021.
This demonstrates that cyber attacks are becoming more common and sophisticated, and that organisations are failing to keep up with the growing threat.
Security risks of email
It’s clear that poor email practices present a cyber security risk, but what exactly do organisations need to look out for?
One issue is human error, with two common problems standing out. The first is the prospect of employees sending sensitive information to the wrong person.
This can easily be done if the email system has an auto-complete function when using the ‘to’ field. Employees might inadvertently select someone with a similar name, and as a result send them information that they weren’t meant to see.
The second problem stems from a misunderstanding of Cc (carbon copy) and Bcc (blind carbon copy). It’s common practice to Cc someone into an email if the message isn’t intended for them specifically but it the content is relevant for them.
Bcc performs a similar function, but the other recipients can’t see who is included in the message. Confusing these options – particularly when replying to the initial message – can create data privacy headaches and result in breaches.
You can learn more about these problems with GRC eLearning’s GDPR: Email Misuse Staff Awareness E-Learning Course.
It provides in-depth guidance on the ways human error can result in email-based data breaches, and explains how such mistakes effect your GDPR compliance.
Another email-based security risk is the possibility of cyber criminals stealing employees’ login credentials. If a fraudster gains access to a legitimate account, they could access vast amounts of sensitive information and use the compromised credentials to launch further attacks.
For example, the criminal could masquerade as the person who the account belongs to and ask another employee to send them a file containing sensitive information.
These types of breaches often occur because employees practise poor passwords habits. They might, for example, use a frequently used phrase that’s easy for a scammer to guess.
Alternatively, they might use the same credentials on multiple sites. This is dangerous because, if one account is compromised, attackers can attempt to use the same details elsewhere.
In many professions, it’s easy to find out where someone works by searching for them online. Indeed, if you have a Facebook or LinkedIn account, you may well be advertising it publicly.
Once attackers have this information, they can find your email address and attempt to compromise the account.
A related cyber security risk is phishing. We mentioned it earlier – a type of scam in which cyber criminals masquerade as a legitimate person organisation in an attempt to defraud them.
Although technologies such as spam filters and anti-malware software can help detect phishing emails, they are never one hundred percent effective.
This is more true than ever, with scammers using increasingly sophisticated tools to outsmart defence mechanisms. It’s why organisations must teach employees how to spot phishing emails when they do make it into people’s inboxes.
Fortunately, there are usually tell-tale signs that a message isn’t what it appears to be. For example, phishing emails often contain non-personalised greetings, spelling and grammatical errors and links to unfamiliar websites.
To help employees identify these clues, organisations should provide regular training courses.
With GRC eLearning’s Phishing Staff Awareness E-learning Course, you’ll receive everything you need to educate and empower your employees.
This online course uses real-world examples to explain how phishing works, what could happen should they fall victim, and how individuals can mitigate the threat of an attack.
Plus, the content is updated quarterly to stay up to date with the latest tricks and techniques so you can be sure that the lessons you learn are practical and relevant.
The course also contains knowledge checks at the end of each section and a final assessment upon completion of the course. This ensures that staff understand the course content, and gives them clarity on anything they may have misunderstood.
A version of this blog was originally published on 14 December 2018.