People Are The Greatest Asset To Thwart Modern Email Security Threats
Defenders Do Not Focus On People, But The Attackers Do
Cyber criminals are increasingly targeting people for their attacks, largely via email, rather than systems and infrastructure. And nearly 100% of these attacks require a human to click. Security teams are spending an inordinate amount of time responding to phishing attacks.
Multiple approaches exist for email security, which creates a lot of noise in the market. With changes occurring in the email threat landscape, legacy security solutions may not be able to detect and respond to modern day threats. Taking a holistic approach not only considers the potential for solution integration but also embraces the workforce, digital transformation objectives and the growth goals that organizations desire.
Cyber Security Hub hosted a webinar on email security trends with Nikki Cosgrove and Matt Cooke from Proofpoint that examined email security strategies to prevent, defend and respond against modern day threats along with steps that enterprises can take to protect the digital workforce from email-based targeted attacks.
See Related: The Best Kept Email Security Secrets
In this webinar recap, we focus on changing behaviors within the organization.
Your Best Line Of Defense: People
People can be the best line of defense if they are educated on what a phishing email looks like. One approach is to implement a closed-loop email analysis. This includes sandboxing of questionable email (whether it has been seen before or not) in the abuse mailbox, provides automation to screen the message, and a means to inform the security team where additional education opportunities exist; focusing limited resources in the right place.
Recipes For Less Phishy Emails And Addressing Acceptable Liability
At the close of the presentation, the speakers took time to answer questions about creating less phishy emails and acceptable liability for repeat offenders.
Q: Human behavior suggests that people want to be trusting of others and therefore click on everything. Do you have some best practices for creating email messages that are less phishy?
[Matt Cooke] The sophistication of attacks are adapting and looking more and more authentic. Security people need to train the recipients so they know what to be looking for, but also implement best practices on the back end. Your email deliveries need to come from a trusted source. That helps give a view of trust. Looking for internal email accounts that may have been compromised (and therefore sending phishing emails) also needs to be monitored.
[Nikki Cosgrove] In the attack profile, you know who is being targeted in your organizations and the specific types of threats that profile faces. A technique you can use is to pass-through the real emails that have been blocked by email security. If the email in question can be passed through without the actual compromise, will the user actually click? This can be used as a learning opportunity to help workers identify risky messages, attachments and links on their own.
Q: In a heavily regulated industry, what is the latest in acceptable liability as it relates to workers that are repeat offenders?
[Nikki Cosgrove] We have to appreciate that most people are simply trying to do their job. And some people make mistakes. If opening a Word document is a common job activity, should the person be punished? Considering providing incentives to workers that reinforces positive behavior. Otherwise, the security department gets put in the position of being the people that say no to everything. As security professionals, you have to think about the technical controls. Rather than blaming the person, change access or implement MFA for only them. More carrot, less stick!
This recap focused on changes in education and awareness of the workforce related to email security. We encourage you to watch the on-demand webinar playback to hear more about building rapport with the workforce as well as:
- Real-world examples of attackers looking for email user vulnerabilities
- The shift in strategy to 3 specific types of highly-targeted attacks
- How defenders do not focus on people, but the attackers do
- The need for adaptive controls to align with individual access requirements
- Selecting the right email security deployment model for your organization