IT security is arguably the biggest challenge facing every IT director and CTO. No-one wants to be the next company making the headlines for all the wrong reasons, with the resulting loss of business and corporate reputation, or to face the choice between paying a ransom to hackers and losing vital corporate data. As a result companies spend large slices of their IT budget on security hardware and software, backed up by disaster recovery solutions in case the worst should happen despite their best efforts.
However, I believe the majority of organisations are guilty of neglecting a key area which can have a massive impact on security – educating their employees about how to avoid basic email security mistakes. In a survey we carried out last year with Mimecast among a mix of large organisations and SMEs, only ten per cent of respondents said that educating their employees about email security risks was a priority, yet emails are the source of many security problems, from accidental outbound confidential data leaks to inbound spam, email viruses and targeted spear-phishing attacks.
What makes this even harder to understand is that many of those organisations have recognised the potential threat of employee behaviour. In our survey, more than a quarter (28%) of respondents said that human error, such as sending confidential data, was the biggest threat to corporate email security – the same level of risk as spam and email viruses, and a significantly higher risk than spear phishing or gateway attacks.
One in five were also worried about the increased use of portable devices such as smart phones and tablets on the corporate network, and many identified the use of external hardware such as USB sticks as a concern. These are also areas where employee education can help to prevent security breaches.
There seems to be a case of ‘doublethink’ here. Organisations recognise that employees create the biggest security risk, but they are not planning to teach them how to modify their behavior. Most employees do not behave recklessly on purpose – and they are even less likely to do so if they understand that certain actions could put the company they work for, and hence their job, at risk. However, they cannot change their behavior if they do not know where they are going wrong.
The solution is not rocket science. There are systems we can put in place which integrate seamlessly with existing email packages and minimise the impact of attacks, but the most important action is to teach employees how small changes to their behavior can make their organisation a safer place to work.
Every organisation needs to implement effective policies and processes to minimise the risk of malicious attack, and then educate all employees about what they need to do. Policies need to be straightforward, easy to understand and suitable for the busy office or factory. If they are too complex, many employees will simply find their own solution, potentially opening up the organisation to those with malicious intent. They also need to be used by every single employee – no-one is too junior or senior to be at risk. The company MD may in principle appear to be more security conscious, but he or she will have access to more confidential information, so potentially poses a greater risk.
Email systems are the lifeblood of many businesses. Having effective email security in place is a critical defense against both accidental data leaks and hackers seeking to capture valuable corporate information and disrupt business operations. It is impossible to prevent attempts to attack our networks, but by making our employees a key part of our security team we can all make our security significantly tighter.
By Mike Dearlove, managing director, EACS