EDITOR’S QUESTION
NICOLAI SOLLING,
CTO AT HELP AG
looks legitimate or mimics
something the user trusts.
There is no doubt
organisations need to pay
extra attention to email
security. Successfully
addressing this requires a
two-pronged approach-
educating employees and
end-users, and at the same
time implementing the
right technical controls so
that the exposure of users
is minimised.
Inculcating a culture of
security is essential to any
modern organisation and
a company-wide security
awareness initiative helps
foster this. To be effective,
the program needs to be
holistic and on-going.
E
mail continues to be one of the
most exploited attack vectors for
cybercriminals. Today, the most
prevalent delivery system for social
engineering is without parallel email
and there are a number of attacks that
start with social engineering.
The cyber security industry believes
that up to 90% of all malware
infections in one way or other start
with e-mail. For example, ransomware,
which has been the biggest cyber
threat to enterprises in recent years, is
most often propagated when a user is
tricked into clicking a link or opening a
word file with macro malware simply
because it is attached in a mail that
78
INTELLIGENTCIO
With regard to email
security, employees need
to be given a solid understanding of
evolving threats and a comprehensive
briefing on company security policies,
procedures and best practices.
Particularly effective would be to include
a regular series of spoof phishing emails,
sent to employees only and designed to
teach staff to be alert to similar external
phishing attempts.
I believe IT teams should do their best
to ensure users have minimal threat
exposure- this means good mail security
solutions, URL filtering and ensuring
the most common threats do not come
through in the first place. It puzzles me
when organisations allow unsolicited
emails with office attachments to get to
the end user without first removing
harmful elements such as macros
and scripts.
Many organisations also fail to
realise that it isn’t only spam and
email-based malware that they
need to protect against. There are
other threats such as impostor email,
which are low volume, hard-to-detect
threats that have cost businesses
more than $2.3 billion and yet
cannot be detected by solutions that
only look for malware. Email solutions
which incorporate reputation
assessment and classification are
needed to combat this.
Organisations must also employ
encryption which offers more control
and protection around the sensitive
data that is being transmitted.
It is an inherent part of security
strategies and the large majority
of enterprises have encryption in
place in one form or the other. It
doesn’t really matter if one is using
web-based encryption services, on-
premises at the gateway or on the
endpoints- there simply is no way
without encryption.
The unfortunate truth is we’re
unlikely to ever see email
communication become 100%
secure, but the closer organisations
get to that goal, the less likely
it is that they will be attacked.
Ultimately, cyber criminals too have
resource constraints and are most
likely to go after the lowest hanging
fruit. By ensuring that you’re a
step ahead of the others, you can
dramatically reduce the chances of
falling victim to email threats.
www.intelligentcio.com