By Dave Alison, Senior Vice President of Products With an estimated 40% of ransomware attacks starting through email, and phishing attacks accounting for 80% of reported security incidents, it’s no secret that email security is a top concern for businesses these days. To take it a step further, RiskIQ reports that $17,700 is lost every minute due to phishing attacks – you read that right, every minute!
So, what are you to do? How do you keep up?
How do you stop these threat actors whose sole reason for existence is to find new ways to penetrate even the best security systems? You train your employees. Groundbreaking, right? You’ve heard that before. But not just train your employees to spot suspicious or malicious emails, you need to take it a step further. What’s needed is for humans to report the emails you’ve trained them to spot. Employees need to be empowered, encouraged, and even motivated to report suspicious activity.
Why?
Because they can be the force multiplier. We know because we see it every day. According to Cofense Intelligence, for every one email reported by a user, an average of 20 additional malicious emails are removed from inboxes around the world. Yes, one reported email is a 20X multiplier. Oh, and those 20 additional emails, they come from an average of four other companies in the Cofense Global Intelligence Network who would have been impacted. With over 35 million reporters worldwide, you can begin to see the impact your employees can have. It’s no longer “good enough” to just recognize questionable cybersecurity activity that may threaten the organization. If all we focus on is recognizing suspicious or malicious emails, we are basically setting up an ineffective neighborhood watch program.
What’s the point of seeing something suspicious if you don’t report it?
As one of the most important lines of defense, employees must learn to not only identify but report questionable activity as it benefits their organization and all those around them. Sure, technology plays a role in helping organizations defend against cyberattacks like phishing, business email compromise (BEC), and ransomware. However, technology alone isn’t good enough, and anyone who says it is, well, is frankly, short-sighted. It only takes one breach to damage a company’s financial status, brand reputation, and/or relationship with its employees and customers. “Good enough” is a risky strategy when it comes to cybersecurity. The industry has made significant progress with all the work being done around artificial intelligence (AI) and machine learning (ML). Both AI and ML are helping to create automation, lightening the load of security operations center analysts who are often overwhelmed by massive amounts of alerts, notifications, and investigations.
The reality is that technology can only take us so far because the threat actors are always evolving their techniques and finding new ways to penetrate these systems.
As a matter of fact, we know that even today, on average almost 50% of URL attacks that are presented to the most respected secure email gateways (SEGs) in the industry are getting through that technology and reaching employees’ inboxes. That is why a strong employee reporting culture is critical to a successful security strategy. There hasn’t been an AI system built to detect something strange, targeted at an employee, better than a trained human.
Most awareness training, as well as pretty much every SEG vendor out there, claim people are the issue and many organizations are taking that cue and treating employees as risks to be mitigated, as opposed to assets to be trained and empowered. Through positive reinforcement, real-life simulation, and by creating a culture where employees embrace their important role in defending the organization, employees can serve as a force multiplier in your battle against cyberattacks. It truly is a better-together story. Technology isn’t as agile as humans, and humans aren’t as fast as technology in sharing. We firmly believe that operationalizing human-discovered, crowdsourced intelligence and positively reinforcing a reporting employee culture is the only way to be successful in defending your organization against these criminal actors.