Human error is one of the biggest security threats organizations face today.\nAccording to Verizon\u2019s 2021 DBIR Report, 85% of data breaches are caused by human error. And, a new research report from Forrester shows that 61% of security and risk leaders think their next data breach will be caused by human error.\nSo, what mistakes are causing these breaches? It could be an employee accidentally leaking data on email, or getting scammed by a phishing attack. Security professionals regularly talk about the need for technology to solve the problem, alongside ongoing training and education. But training is not always done on a regular basis. And if it is, how effective is it? Frankly, will employees even pay attention?\nThat\u2019s why we asked members of the IDG Influencer Network \u2013 a community of journalists, industry analysts, and IT professionals who contribute their knowledge and expertise to IDG clients \u2013 an important question: What are the biggest challenges organizations face in preventing email security threats caused by human error?\nThere are many things that can go wrong when people open emails, click on links, or download attachments, says Isaac Sacolick (@nyike), president of StarCIO and a digital transformation leader and influencer.\nTraining woes\n\u201cOne of the biggest challenges that organizations face is [providing] clear and consistent training,\u201d such as phishing simulations, says IT director Adam Martin (@colttrickle). \u201cThis has to be done on a regular basis for the behavior change to occur. Doing this type of training annually or bi-annually is typically not effective.\u201d\n\u201cEducating employees is a significant challenge, especially since the average employee is inundated with too many emails and has little time to evaluate risks when trying to get their work done,\u2019\u2019 Sacolick says. \u201cThe biggest challenge is recognizing that people make mistakes \u2014 many unpreventable \u2014 and IT must have safety nets to address external risks like phishing attacks and internal risks such as accidental data loss.\u201d\n\u201cWith millions more people now working from home and on the move, often using their own personal devices, there is a greatly increased risk of a cyber breach taking place,\u2019\u2019 says Sridhar Iyengar (@isridhar) managing director of Zoho Europe. \u201cDealing with these risks not only requires the right security software and encryption in place, it also requires companies to train staff to identify and prevent potential cyber risks.\u201d\nThis requires ongoing investment and effort from companies to ensure human errors are minimized, and properly and quickly mitigated in case an incident occurs, Iyengar says.\nBut simply making security awareness and phishing training mandatory is not enough; organizations must develop a security-first mindset.\u00a0\n\u201cEmployees need ongoing reinforcement of email security at the department and even the project level,\u2019\u2019 says Scott Schober (@ScottBVS), president and CEO of Berkeley Varitronics Systems.\u00a0 \u201cEmail security needs to become part of the continuing business and project discussions.\u201d\nUnprotected endpoints are a culprit \nAs long as humans rely on insecure platforms such as email, there will always be security challenges, says Schober. \u00a0\n\u201cPhishing attacks and spam prey upon basic human curiosity, fear, greed, and laziness,\u201d Schober says. \u201cSince it only takes a single click for a phishing email to install malware or steal passwords, email remains one of the best attack vectors due to its insecure nature, ubiquity, and proximity to entire computer networks.\u201d\nBut inbound attacks aren\u2019t the only threat security leaders need to worry about. Misdirected emails are the number one type of breach reported to the Information Commissioner\u2019s Office, and according to one report, at least 800 misdirected emails are sent every year in organizations with 1,000 or more employees.\n\u201cMost computer users have been using email regularly now for over 25 years so it takes a lot of training to unlearn those unsafe habits that have been forming for so long,\u201d Schober says.\nWhat can be done\nThe IDG Influencers offered several tips for how to handle email security threats. Frank Cutitta (@fcutitta) CEO and founder of HealthTech Decisions Lab recalls recently speaking with a healthcare CIO who had nightmares during the coronavirus pandemic due to the volume of phishing emails being sent to former patients about bogus government subsidies for COVID-19 long-haulers.\n\u201cSophisticated robotic process automation platforms that catch or reduce human error are becoming critical elements in the cybersecurity portfolio,\u2019\u2019 Cutitta says.\u00a0\nAnd it makes sense. Legacy email security solutions don\u2019t engage users in a meaningful way and unknown anomalies aren\u2019t accounted for. That\u2019s where AI comes in.\n\u201cAI must be used to help eliminate human error in order to protect the company from threats,\u2019\u2019 says Jeff Kagan (@jeffkagan), an industry analyst columnist.\nBut processes can help, too.\n\u201cA strong, unique password coupled with MFA [multi-factor authentication] is essential for each mail account, and users need to be extra vigilant when considering opening attachments or clicking links in an email,\u2019\u2019 says cybersecurity leader Dave Hatter (@DaveHatter).\n\u201cThe \u2018from\u2019 address and the content are easily spoofed,\u201d he adds. \u201cWhen there is even a hint of doubt: Stop, think, protect. Err on the side of caution. Go \u2018out-of-band,\u2019 don't click any links or use any information in a questionable email; use trusted sites to find legitimate contact for the organization that purports to have sent the email, and contact them directly to confirm the legitimacy.\u201d\nNormalize the conversation\n\u00a0Highlighting email security threats must become an important topic for the executive leadership team. \u201cIf they do not see the value in it, you will be fighting a losing battle. There has to be an overall change in mindset around this topic,\u201d says Martin.\n\u201cThe biggest challenge I see is making email security part of the business conversation,\u2019\u2019 adds Will Kelly (@willkelly), product and content marketing manager focused on devops and the cloud.\nIT must make users understand that no matter how small an organization is, their data is valuable to hackers, and that email compromises can lead to theft of intellectual property or worse \u2014 like significant financial fraud, says Hatter, referring to firsthand knowledge of organizations that have lost hundreds of thousands of dollars to business email compromises.\n\u201cThe best defense is cultivating a company-wide, security-first mindset and continuous training to help employees understand threats and vulnerabilities,\u2019\u2019 says Gene De Libero (@GeneDeLibero), chief strategy officer at GeekHive.com. \u201cIt's also necessary to employ intelligent technology that proactively prevents email security threats \u2014 especially those caused by human error from inside your organization.\u201d\nClick here for more information about how you can take control of your email security with a new approach: Human Layer Security.