Human beings have long been the weakest link in an organization’s security chain, largely because they so often fall victim to phishing campaigns, and a new report from Mimecast, State of Email Security 2018, found that attackers continue to target end users with email-based attacks.
According to the report, the C-suite is putting businesses in danger. Nearly 40% of the respondents agreed that their organization’s CEO is a “weak link” in their cybersecurity operation. Close to a third, 31%, of C-level employees are reportedly very likely to have accidentally sent sensitive data to the wrong person in the last year, compared to just 22% of general employees.
That sensitive information is sent via email, but accidentally sharing information with the wrong party is not the only security risk. Email is the ultimate gateway for ransomware. Almost all ransomware attacks, 92%, were delivered by email last year, resulting in an average downtime of longer than three days.
Phishing continues to be a problem as attackers grow more sophisticated. The vast majority, 90%, of organizations reported an increase in the volume of phishing attacks, combined with and complicated by an increase in impersonation attempts. These campaigns reportedly no longer focus on particular individuals, making everyone – from the C-suite to the finance department and HR staff members to trusted third-party vendors – a target.
“Email-based attacks are constantly evolving and this research demonstrates the need for organizations to adopt a cyber-resilience strategy that goes beyond a defense-only approach,” said Peter Bauer, Mimecast’s CEO.
“This is more than just an ‘IT problem.’ It requires an organization-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defense.”
In light of the continued email-based attacks, the report noted that the lack of training is hurting businesses. Surprisingly, only 11% of organizations continuously train employees on how to spot cyber-attacks, and more than half (52%) perform training just once a year.
"Security awareness is an important part of any high-functioning security program. But like all security controls there is no silver bullet solution. The best security programs seek a balance between technical controls, boosting their human firewalls, and having IT enabled business processes that are resilient to failures, whether man-made or caused by technology," said Matthew Gardiner, cyber-resilience expert at Mimecast.