Why traditional email security solutions and training alone aren’t enough

Human error is one of the biggest security threats organizations face today.

According to Verizon’s 2021 DBIR Report, 85% of data breaches are caused by human error. And, a new research report from Forrester shows that 61% of security and risk leaders think their next data breach will be caused by human error.

So, what mistakes are causing these breaches? It could be an employee accidentally leaking data on email, or getting scammed by a phishing attack. Security professionals regularly talk about the need for technology to solve the problem, alongside ongoing training and education. But training is not always done on a regular basis. And if it is, how effective is it? Frankly, will employees even pay attention?

That’s why we asked members of the IDG Influencer Network – a community of journalists, industry analysts, and IT professionals who contribute their knowledge and expertise to IDG clients – an important question: What are the biggest challenges organizations face in preventing email security threats caused by human error?

There are many things that can go wrong when people open emails, click on links, or download attachments, says Isaac Sacolick (@nyike), president of StarCIO and a digital transformation leader and influencer.

Training woes

“One of the biggest challenges that organizations face is [providing] clear and consistent training,” such as phishing simulations, says IT director Adam Martin (@colttrickle). “This has to be done on a regular basis for the behavior change to occur. Doing this type of training annually or bi-annually is typically not effective.”

“Educating employees is a significant challenge, especially since the average employee is inundated with too many emails and has little time to evaluate risks when trying to get their work done,’’ Sacolick says. “The biggest challenge is recognizing that people make mistakes — many unpreventable — and IT must have safety nets to address external risks like phishing attacks and internal risks such as accidental data loss.”

“With millions more people now working from home and on the move, often using their own personal devices, there is a greatly increased risk of a cyber breach taking place,’’ says Sridhar Iyengar (@isridhar) managing director of Zoho Europe. “Dealing with these risks not only requires the right security software and encryption in place, it also requires companies to train staff to identify and prevent potential cyber risks.”

This requires ongoing investment and effort from companies to ensure human errors are minimized, and properly and quickly mitigated in case an incident occurs, Iyengar says.

But simply making security awareness and phishing training mandatory is not enough; organizations must develop a security-first mindset. 

“Employees need ongoing reinforcement of email security at the department and even the project level,’’ says Scott Schober (@ScottBVS), president and CEO of Berkeley Varitronics Systems.  “Email security needs to become part of the continuing business and project discussions.”

Unprotected endpoints are a culprit

As long as humans rely on insecure platforms such as email, there will always be security challenges, says Schober.  

“Phishing attacks and spam prey upon basic human curiosity, fear, greed, and laziness,” Schober says. “Since it only takes a single click for a phishing email to install malware or steal passwords, email remains one of the best attack vectors due to its insecure nature, ubiquity, and proximity to entire computer networks.”

But inbound attacks aren’t the only threat security leaders need to worry about. Misdirected emails are the number one type of breach reported to the Information Commissioner’s Office, and according to one report, at least 800 misdirected emails are sent every year in organizations with 1,000 or more employees.

“Most computer users have been using email regularly now for over 25 years so it takes a lot of training to unlearn those unsafe habits that have been forming for so long,” Schober says.

What can be done

The IDG Influencers offered several tips for how to handle email security threats. Frank Cutitta (@fcutitta) CEO and founder of HealthTech Decisions Lab recalls recently speaking with a healthcare CIO who had nightmares during the coronavirus pandemic due to the volume of phishing emails being sent to former patients about bogus government subsidies for COVID-19 long-haulers.

“Sophisticated robotic process automation platforms that catch or reduce human error are becoming critical elements in the cybersecurity portfolio,’’ Cutitta says. 

And it makes sense. Legacy email security solutions don’t engage users in a meaningful way and unknown anomalies aren’t accounted for. That’s where AI comes in.

“AI must be used to help eliminate human error in order to protect the company from threats,’’ says Jeff Kagan (@jeffkagan), an industry analyst columnist.

But processes can help, too.

“A strong, unique password coupled with MFA [multi-factor authentication] is essential for each mail account, and users need to be extra vigilant when considering opening attachments or clicking links in an email,’’ says cybersecurity leader Dave Hatter (@DaveHatter).

“The ‘from’ address and the content are easily spoofed,” he adds. “When there is even a hint of doubt: Stop, think, protect. Err on the side of caution. Go ‘out-of-band,’ don’t click any links or use any information in a questionable email; use trusted sites to find legitimate contact for the organization that purports to have sent the email, and contact them directly to confirm the legitimacy.”

Normalize the conversation

 Highlighting email security threats must become an important topic for the executive leadership team. “If they do not see the value in it, you will be fighting a losing battle. There has to be an overall change in mindset around this topic,” says Martin.

“The biggest challenge I see is making email security part of the business conversation,’’ adds Will Kelly (@willkelly), product and content marketing manager focused on devops and the cloud.

IT must make users understand that no matter how small an organization is, their data is valuable to hackers, and that email compromises can lead to theft of intellectual property or worse — like significant financial fraud, says Hatter, referring to firsthand knowledge of organizations that have lost hundreds of thousands of dollars to business email compromises.

“The best defense is cultivating a company-wide, security-first mindset and continuous training to help employees understand threats and vulnerabilities,’’ says Gene De Libero (@GeneDeLibero), chief strategy officer at GeekHive.com. “It’s also necessary to employ intelligent technology that proactively prevents email security threats — especially those caused by human error from inside your organization.”

Click here for more information about how you can take control of your email security with a new approach: Human Layer Security.