Email is ubiquitous, and that leads some to assume that it’s safe. Nothing could be further from the truth. While your average end-user might be savvy enough to avoid unsophisticated scams, it remains, by default, a completely insecure communication channel.
Among cybercriminals, email remains something of a favourite attack vector. Phishing and spear-phishing attacks target users, with varying degrees of specificity.
Maybe the criminal receives an ‘out of office’ message from a finance director and knows they’re on holiday, giving them the perfect excuse to target a busy treasury department with money transfer requests. Maybe they collect information from social media profiles, which they then use to impersonate decision makers.
Email can be dangerous in numerous ways, and the problems it causes cannot be prevented solely by conditioning users to be cautious. The belief that education is the key to preventing cyber-attacks has a certain logic to it. Supposedly, by training employees, you eliminate any unintentional insider threat. But this unfortunately puts the onus for IT security on people who aren’t meant to be accountable for it.
User training is user blaming – nonetheless, businesses, government departments and other organisations continue to place the burden of responsibility for security on people who are utterly unqualified to bear it.
Email attacks are a problem that even well-seasoned IT security experts struggle to keep pace with. Domain impersonation and reply redirection are techniques that require a user to identify very small differences in a message or message chain. Something as sophisticated as the malicious application of Punycode – a special form of encoding – is extremely difficult to visibly detect.
To put it bluntly and without malice: end-users don’t stand a chance. They can’t be ‘careful’ when a phishing or malware attack is near-indistinguishable from a typical email message. They can’t be trained to keep up with the latest attack vectors. One small mistake – and experts and end-users alike are capable of them – can allow a criminal to overtake an entire system.
End user involvement
Security departments should minimise end user involvement from the equation. Solutions should be put in place to detect and quarantine threats long before they ever reach a user or email server. Advances in artificial intelligence and machine learning mean key attack techniques can be quickly identified and neutralised and malicious email simply shouldn’t be able to enter an organisation.
The best thing an end-user can learn is a degree of cynicism – this at least will help them better trust their emails. But they shouldn’t be relied upon in any way to protect a company’s electronic assets – they are not the first or last line of defence. If they’re being used as such then they will ultimately compromise the organisation they work for. Simply put, they’re there to use the system, not protect it. IT departments should ensure that they can do so – without having to worry about security threats.
Sourced from Nick Yarham, customer engagement manager, Corvid