Email first arrived in the workplace in the 1980s and in the decades since it has become established as the dominant form of communication. Email has displaced the telephone, as the default tool for collaboration and has so far seen off a number of challengers.
While a new breed of communications tools like Slack and Microsoft Teams look likely to supplant email in the near future, email is going nowhere for the time being.
It is estimated that 294 billion emails are sent every single day by 3.9 billion users. Although the rate of growth is declining, the volume of messages is set to increase to 320 billion by 2021.1
The sheer volume of emails sent and received each day is an obvious reason for its popularity as an attack vector, but the fact is that email-based attacks are extremely simple to stage and highly effective.
Is email the biggest threat?
According to a recent report, 94% of organisations believe email is their biggest security vulnerability, with three quarters witnessing an increase in email-related attacks over the past two years. Nearly nine in ten think the number of attacks will increase over the next 12 months.2
Although organisations have cybersecurity policies and prevention measures in place, email as a technology has not developed significantly since its inception, meaning native protection is fairly non-existent. Throw in the fact that humans are also seen as the biggest security weakness within an organisation, and it’s a dangerous combination.
Organisations can be exposed to any range of email-based attacks if staff aren’t trained sufficiently, or choose to ignore cybersecurity policies. It is thought that more than 90% of hacking attacks begin with some sort of email phishing or spear-phishing attack .3
Viruses and ransomware are an obvious threat. Innocent looking documents or PDF files might contain damaging malware that can spread across a network and paralyse systems, or steal sensitive corporate and customer data.
Spoofing and phishing attacks see attackers pretend to be a person or an organisation known to the victim in order to extract information such as login details or money. Some attacks include a link that might seem legitimate but is in fact malicious. This issue is exacerbated by domain squatters.
Then there is the issue of security weaknesses caused by misconfigurations and client-side attacks that see attackers takeover a system using a malicious link opened in email software.
Such attacks can wreak havoc across an organisation, damaging productivity and customer confidence, while ransomware can cause data loss and have serious financial consequences.
The human element
Employees are not only vulnerable to rogue attachments and social engineering, they are also susceptible to mistakes. After all, confidential information could be sent to the wrong recipient just by making a typo. And that’s before you consider that an email breach might be deliberate.
According to one study, half of businesses believe they are at risk from within4. Meanwhile, figures from the UK’s data watchdog, the Information Commissioner’s Office (ICO), would appear to confirm the risk of data breaches caused by human error are at least as great as those from cyberattacks.
Over a 12-month period, 2,124 reports cited human error compared to 292 that blamed a deliberate cyberattack5.
Steps to take
Technology of course plays a huge part in prevention. Antivirus software, firewalls, monitoring and auditing tools and device management platforms help stop and mitigate any threats or breaches that might happen through email.
Mobile Device Management (MDM) platforms often include Data Loss Prevention (DLP) features that stop employees form sharing confidential or sensitive information with unauthorised recipients or devices.
Should the worst-case scenario happen, and malware wreak havoc across your organisation, then Disaster Recovery (DR) and backup can ensure you can at least restore your data.
Organisations can also offer staff training, improve awareness of threats among the workforce, and encourage employees to take responsibility for their actions and to follow policies.
But perhaps the most revolutionary course of action to take is to look beyond email as a form of communication.
Services like Microsoft Teams offer an upgrade over email by bringing together people, files and applications into a single hub. They combine multiple forms of communication – including instant messaging, video and voice – and allow workgroups to collaborate more effectively than is possible via a lengthy email chain.
If email is the weakest part of your organisation, then it’s important to have a cybersecurity strategy that mitigates and prevents threats. The impact on productivity, reputation, and revenue is real – especially when you consider the fines that might be imposed by regulators in the era of GDPR.
Having the right combination of technology and culture can protect you and your customers.
1 Radicati: http://www.radicati.com/wp/wp-content/uploads/2017/01/Email-Statistics-Report-2017-2021-Executive-Summary.pdf
2 Barracuda Networks (2019)
3 Mimecast (2019)
4 Kaspersky: https://www.kaspersky.com/blog/the-human-factor-in-it-security/
5 Kroll (2018)