It’s an undeniable fact: these days, email has become one of the main vectors for cyberattacks against companies.  According to the recent 2018 Email Security Trends report by Barracuda, 87% of IT security professionals have admitted that their company has faced some kind of threat via email in the last year. This has led three quarters of the professionals surveyed to be more concerned about this risk factor now than they were five years ago.

And this concern hasn’t appeared out of the blue. The same study has shown that 81% of heads of corporate IT security have noticed an increase in the number of cases compared to the situation one year ago.  What’s more, a quarter of the professionals who agree with this statement qualify the increase as “drastic”.

But why is the volume of cyberattacks carried out over email on the up?  Just like with other kinds of threats, the success of these attacks can be put down to human error: whether it’s due to a lack of time to stop and assess the authenticity of the email, or because of our innate sense of curiosity or compassion, mechanisms like social engineering do exactly what they set out to achieve. This is the opinion shared by the vast majority of the IT professionals surveyed; they single out “poor employee behavior” as their main concern when dealing with these cyberthreats.

Mitigation costs are rising drastically

The economic consequences of these attacks are also increasing.  81% of heads of cybersecurity agree with this statement, emphasizing, in 22% of cases, that the costs stemming from mitigating a security breach have grown very significantly.

Of the different types of malicious actions that can financially damage a company via email, information theft, ransomware, and BEC scams are the most costly.  In other words, we’re facing two types of cyberattacks: on the one hand, we have attacks that seek to make a profit by attacking a company’s information and either selling it, or kidnapping it in order to demand a ransom. On the other hand, we see attacks whose aim is to trick an employee who has access to the company finances into making a transfer to the cybercriminals without realizing.  In a previous post, we saw how this last kind of scam, Business Email Compromise, became the most lucrative cybercrime of 2017 in the USA.

How can I deal with this threat in my company?

The fact that human error plays such a key role in the success of this kind of scam of course means that companies must train employees at all levels to pay attention to tell-tale signs in suspicious emails: how they’re written, spelling, or the kind of links they contain.  Likewise, they must get into the habit of thoroughly verifying the supposed intention of any emails received: for example, by checking with the finance department that the bank transfer that they are being asked for is legitimate, in order to avoid BEC scams.

But is this enough? The heads of IT security who responded also recommended some other measures that should be kept in mind:

  • Phishing drills: This highly effective method to test the possible negative effects of phising consists of surprising your employees with this kind of email, to see how they react. Those who get tricked by the email will have learned for themselves the type of behavior they must avoid in the future, whereas those who pass the test will still be alert as they were before.
  • Social engineering detection: This requires a specific, practical training process for employees. The aim is to make sure they ask themselves a series of questions before replying or paying attention to a dubious email. Here are some examples of this type of question: “Can a third party help me verify the identity of the person who is contacting me?”, “Am I really authorized to carry out the thing they’re asking me to do?”, “Is the action or information that they are requesting public?”
  • Encrypting emails: To avoid the possible theft of emails containing confidential information, your company must have a system that encrypts all emails sent by employees, making it necessary to introduce an additional password in order to gain access to the content of the email.
  • Having an advanced cybersecurity solution: Using a suite like Panda Adaptive Defense will help you to detect any possible attempts to attack your company via email, thanks to the use of cognitive intelligence and a real time detection system. This way, you will avoid possible financial losses that can result from this kind of cyberattack.