In our previous blog we covered Top Social Engineering Techniques Trending on Email. We continue to see that email remains the number one attack vector for businesses. According to a study by 451 Research, email security is the biggest problem we’re not paying attention to. In the survey, they found that 46% of respondents still feel email poses the greatest data threat, despite the fact that 87% of organizations have email security solutions in place1. User behavior (28%) and phishing (24%) were listed as the top two pain points for security teams, however according to the data, phishing prevention is not among the top strategic objectives for CISOs2.
Cybercrime continues to rise, and cybercriminals are adapting their attack methods. According to Accenture’s Ninth Annual Cost of Cybercrime Study, attackers now see the human layer as the weakest link in a company’s defenses, and are focused on using this as a path to attacks through increased phishing and the exploitation of insiders3. However, the majority of attacks happen without employees even being aware they’ve done anything wrong. As an example, according to executives surveyed in the study, employees accidentally publicizing confidential information is a huge risk for companies4.
However, despite best efforts to increase email defenses, the biggest challenge in the fight against cyberthreats and insider attacks could be employees on their mobile devices.
Verizon’s 2019 Data Breach Investigations Report indicates users are significantly more susceptible to social attacks they receive on mobile devices. With many companies allowing employees to use their own devices for work-related purposes, this is something that’s hard to control. While some companies have strict bring your own device (BYOD) policies, many don’t have anything in place to mitigate security risks via employees’ devices.
Why most mobile devices are left unprotected
One of the key problems is perception. Most users believe their mobile devices are relatively secure, so they don’t take extra time to ensure the content they receive via mobile devices is safe. They also don’t put additional security in place to help filter out threats.
On top of this, restrictions within the mobile device design mean users are more likely to click on malicious links in emails viewed on mobile devices than on laptops. Cybercriminals can easily con users into thinking a website is legitimate by using tricks like URL padding and using the small screen size to their advantage—like how little of the URL a user can see. These techniques are especially successful in the case of email-based spear phishing and spoofing attacks that attempt to mimic legitimate webpages. Furthermore, the majority of smartphones make it difficult for users to review the accuracy of emails due to the limitations in viewing multiple pages side-by-side and navigating between pages and apps. For example, users don’t always have full visibility to email headers and email sources at first glance.
According to Verizon’s research, the biggest driver making users more susceptible to threats via mobile devices is, in fact, the way in which they interact and use their devices. While the ease and speed with which users can accept, reply to, and send email is highly efficient and user friendly, it also opens the door for threats to creep in. For example, we all use our devices while doing other activities like walking, talking, and consuming other media. We are not always paying careful attention to incoming information, which means we don’t always take the time to review requests thoroughly and can be too quick to respond.
But what can we do? The use of mobile devices—especially for work purposes—will only continue to rise.
One of the key solutions is user education. Organizations need to take this into consideration when planning their general cyberhygiene programs.
Providing ongoing education to employees so they know what to look for—including what a phishing email looks like and the damage cyberattacks can cause—is a key element to include as part of security programs. New work arrangements—such as remote work and BYOD—create urgency around training employees to think and act with security in mind.
Cyberhygiene should be embedded into an organization’s operations across all departments.
How can SolarWinds® Mail Assure help?
SolarWinds Mail Assure’s cloud-based email security helps your customers stay in control and protect their inbound and outbound email from email-borne threats. What’s more, you can get Microsoft® Office 365® add-in for greater control and visibility into email flows from the Microsoft AppSource at no additional cost—also compatible on mobile devices.
Interested to learn more about protecting your customers from email-borne threats? Get in touch with a solutions provider today.
Mia Thompson is the product marketing manager for Mail Assure at SolarWinds MSP.
1 “Email security: the biggest problem you’re not paying attention to,” 451 Research, LLC. https://www.avanan.com/hubfs/Content/Collateral/451-Avanan-Business-Impact-Brief.pdf (Accessed December 2019).
2 “Email security: the biggest problem you’re not paying attention to,” 451 Research, LLC. https://www.avanan.com/hubfs/Content/Collateral/451-Avanan-Business-Impact-Brief.pdf (Accessed December 2019).
3 “The Cost of Cybercrime,” Ponemon Institute, LLC. https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 (Accessed December 2019).
4 “The Cost of Cybercrime,” Ponemon Institute. https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 (Accessed December 2019).