Intelligent CIO asked Jeff Ogden, general manager, Mimecast Middle East, if it is becoming easier for cybercriminals to access company data. Here is his response:
In a cloud-first and data-rich world, the attack surface has expanded past the traditional IT perimeter and every employee has become the easiest route into an organisation.
Today, many organisations have not updated their traditional security postures but now need to manage identities, mobile devices, govern and manage ‘shadow IT’, and make sure sensitive information is safeguarded now more than ever before. And as cybersecurity threats have grown more sophisticated and ubiquitous, stopping a cyberattack has become more difficult.
Cybersecurity thinking of old was mostly concerned with preventing attacks – stopping viruses, blocking spam and rejecting malware. But with new and more dangerous threats emerging every day – threats like ransomware, impersonation fraud and spear-phishing – trying to stay one step ahead of our antagonists is a constant challenge.
In our most recent Email Security Risk Assessment (ESRA) report we found there was an 80% increase in business email compromise (BEC) attacks which means that targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes leaving organisations at risk of a data breach and financial loss.
Most organisations lack both sufficient security controls and end-user education when it comes to identifying and stopping the latest email-borne threats. By concentrating predominately on perimeter defence and outside threats, organisations struggle with the risk that comes from their own people, emphasising the need for organisations to implement employee awareness and education as well as creating a cyber-resilience strategy that includes both technology- and human-based defences.
Security is everybody’s responsibility and an effective awareness and training programme for staff is therefore vital. One off or annual training isn’t enough to build a powerful human firewall. Our second-annual State of Email Security report revealed that only 11% of organisations continuously train employees on how to spot cyberattacks. You need to educate employees in real-time through coachable moments and learning opportunities.
Making cybersecurity a priority should start from the top, yet this isn’t always the case: 20% of organisations said their c-level executive sent sensitive data in response to a phishing attack, and 49% admitted that their management and finance teams aren’t knowledgeable enough to identify and stop an impersonation attempt. It requires an organisation-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees.
Businesses need to have a multi-layered cyber-resilience strategy that includes advanced security solutions to protect them from targeted threats in the form of malicious links, attachments and malicious insiders within businesses. It is also imperative to educate employees to recognise phishing emails and impersonation attacks – from the c-suite to the reception desk — to be the last line of defence.