It's a human issue when it comes to email security.

by Benjamin B. EmailAuth

Phishing is the underlying cause of 32% of security breaches, according to research. Email is the most common point of entry for malware, providing access in 94 percent of cases.

Just last week, the UK government's Cyber Security Breaches Survey revealed that this worrying trend has not changed: 91% of big organizations are most likely to report phishing attacks as the source of a data breach, up from 72% to 83% in the previous four years. In the meanwhile, reports of other threats, such as computer viruses, have significantly decreased.

Regardless of whether anti-malware software, firewalls, Sender Policy Framework (SPF), or Domain-based Message Authentication, Reporting, and Conformance (DMARC) solutions are in place, phishing emails are reaching organizations and individuals at an unprecedented rate, causing more consistent bad impacts than many other security threats combined. Due to the severity of certain phishing attacks and the scale of the businesses attacked, they have even made headlines.

FatFace recently paid a $2 million ransom after cybercriminals infiltrated their network via a phishing email, harvesting 200GB of data, including workers' bank account information. The original ransom of $8 million would have essentially put the shop out of business, as it was only making 25% of its usual revenue due to the pandemic. This should act as a chilling reminder of the devastating effects that poor email hygiene can have on businesses of all sizes.

So, what is the solution for companies like FatFace, or for people who are desperate to avoid being victims of this level of cybercrime? In the end, bolstering email security requires finding a balance between defensive technology and adequate employee training.

Even if a firm has the most secure defensive system in place, it will still be vulnerable unless it has a company-wide security-first attitude and a thorough awareness of threats and vulnerabilities.

Fostering a culture of training and education

When it comes to evaluating cyber defenses, culture is a significant issue, with a recent poll finding that 65 percent of firms that did not deploy a zero-trust security approach did so because it did not fit with their company culture.

However, in defending a company's IT infrastructure, a security-first attitude is becoming increasingly vital, and organizations must examine if their culture prioritizes security or cultivates vulnerabilities. If they aren't completely revamping their security posture with a framework like zero trusts, businesses should at the very least be regularly training and counseling their employees on how to identify and react to a malicious email.

Outsourcing white hat hacking and phishing campaigns that mimic real-world assaults should be included in adequate cybersecurity training and awareness to teach employees what they are doing wrong and how to distinguish between a dangerous and a safe email in the future. Importantly, when workers spot and report questionable conduct or communications, they should be rewarded in order to encourage continued vigilance.