Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
The pandemic has been a growth multiplier for every cybersecurity metric throughout 2021, beginning with& incoming cyberattacks.
In the last year, already strained cybersecurity teams - or in some cases, designated members of the IT team - scrambled to secure new attack surfaces across remote work environments as they hastily spun up untested systems to enable new modes of working.
Over the course of the pandemic, security guidelines were left by the wayside to accommodate stretched-thin resources across almost every industry, presenting a smorgasbord of opportunity to cybercriminals--who already had the advantage of being comfortable with working from home.
“During 2020, the Mimecast Threat Center detected a 64% rise in threat volume compared to 2019.”
Email is still the most common attack surface for organisations, being the primary way of interacting with staff, customers, clients and partners.
According to an OAIC report, human error still dominates the latest data breach statistics. Social engineering has become increasingly effective for cybercriminals because while computers obey complex rules every time without skipping a beat, humans have emotions that can be preyed on, especially when they’re stressed or anxious. Practiced threat actors are masters of manipulation and will attempt to exploit people however they can.
What is a Business Email Compromise (BEC) attack?
Business email compromise (BEC) is a type of email attack where an attacker impersonates or compromises an email account to trick a target into sharing sensitive information or taking some unauthorised action.
Email attacks generally use spoofed copy and graphics that imitate common business processes—eg bill payments, password updates, delivery confirmations—with the aim to make just one of your targeted employees:
- click a link or file that will deploy malware to your company infrastructure
- provide information that will help attack your network, or be used in subsequent social engineering attempts
Once the ransomware is deployed on a system, all data is encrypted and held to ransom—per the name—until the victim pays a specified amount in cryptocurrency.
The scourge of ransomware is on the rise. We see it in the news more than ever because threats of data leaks are happening more often, with bigger bounties being paid out and incentivising more audacious attacks. The worst thing is that the stolen data can still be sold to the highest bidder or rendered irretrievable to its owners - even after the ransom is paid! Paying a ransom is no guarantee that you’ll get your data back.
Key findings over the past 12 months
Mimecast’s State of Email Security report reveals that over the course of last year:
- Overall, email attacks increased by 64%
- 79% of companies were hurt by their lack of cyber preparedness
- 70% of respondents surveyed said they expected their business to be harmed by an email-borne attack
- Since the beginning of the pandemic, the rate of employees clicking on malicious links increased 300%
How email attacks have evolved in 2021
A prime target for cybercriminals this year has been employees new to work from home arrangements, where attention is often diverted by household distractions, with new processes and systems adding to their mental load during busy or stressful times.
Both the volume and sophistication of attacks have increased rapidly, compounding the background issues around resourcing and movement restrictions. Threat actors were quick to take advantage of this confusion with a flood of new email attacks.
“Since the onset of the pandemic, the Mimecast Threat Center found that employees worldwide are clicking on malicious URLs embedded in emails three times as often as they had before.”
When a business’s dependence on email increases, forgery of corporate email addresses and branding becomes harder to detect, which increases the risk of a bad actor catching out a distracted employee just that one time. And one chance is all the attackers need.
Staff rely on email for frictionless, fast communication across almost every organisation, so how can businesses keep themselves secure from email attacks? While your staff can’t be across every specific threat, they can be broadly more aware of the potential avenues for email attack by becoming more familiar with what an attack might look like, and what to do when they encounter an unusual email.
What are organisations doing to mitigate email risk?
Even the most detail-oriented micromanagers can’t control what 100% of their employees are doing 100% of the time—hard as they may try. Having cyber-aware, alert and well-informed employees is one of the best countermeasures against email-borne attacks. That’s why employee cyber awareness needs to be integrated into an organisation’s culture, with regular training and testing around recognising phishing, social engineering, and common or trending email scams.
“43% of participants globally said that employee naiveté about cybersecurity is one of their greatest vulnerabilities.” - Mimecast State of Email Security Report, 2021
By raising awareness around email attacks, with a drumbeat cadence that keeps this important business need front of mind, your employees will be able to identify anything nefarious far more easily, giving incoming emails that extra bit of attention and scrutiny, and flagging anything they find suspicious to your IT or cybersecurity team.
It’s also important to have a reporting process in place for suspicious emails, phishing or social engineering attempts, and to regularly test employee readiness with penetration testing such as harmless phishing emails, giving constructive feedback about responses where needed.
It’s important to remember that though email is a major attack vector, it’s not the only one. The digital workspace is expanding, as workplaces increasingly turn to additional collaboration tools for their day-to-day work. Are you taking steps to secure them?
Keeping the human component of your business “alert but not alarmed” with a general awareness of what to look for and how to respond, is the greatest weapon in your arsenal against these attack vectors.
For a better sense of where your organisation’s email security posture sits on the cyber resilience spectrum, take a deep dive into the State of Email Security by downloading the full report.