Forget The Network; E-Mail At Ground Zero For Company Hacks

When it comes to protecting a company’s network from hackers, throwing up a firewall is no longer enough. The bad guys are finding new ways in and increasingly it's via the employees of the company. As a result, enterprises of all sizes have to approach cybersecurity from a people-centric perspective as technology vulnerabilities become rarer.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

“People-centric security begins with the understanding that people must be at the center of your cybersecurity strategy as they are at the center of the crosshairs for attackers,” Mark Guntrip, director of product marketing at Proofpoint told The SaaS Report. “Cybercriminals are increasingly targeting people with socially engineered attacks. And these people are often not the employees you would expect.”

Guntrip said companies have to look beyond the C-Suite and protect more seemingly unlikely targets such as the CEO’s assistant or a programmer who handles the security code for a car manufacturer or even the member of the financial team tasked with wiring payments to vendors. “These are not necessarily people who are known or actively tracked by the security team which is why an attacker can often be successful without the alarm bell ringing,” he said.  According to Guntrip the primary way the bad guys are reaching their victims is through email. That’s even with more than 60% of IT budget going to protect the network with only a small portion of it allocated for email security.

According to the Federal Bureau Of Investigations, Business E-mail Compromise (BEC) and E-mail Account Compromise (EAC) scams have become big business for the hackers. The FBI found 78,617 incidents occurred from October of 2013 through May 2018 costing companies a combined $12.5 billion. Between December of 2016 and May of 2018, there was a 136% increase in the global losses with the scams being reported in all 50 states and in 150 countries. The FBI said scammers carry out the scam by compromises legitimate business e-mail accounts relying on social engineering.

“It is critical that organizations rethink their approach to security and dedicate a larger percentage of their finite security budget on their biggest challenge and most vulnerable communication channel, email,” said Guntrip. “While the network, web security, and endpoints are all important, studies have shown that email continues to be the vector of choice for attackers.”

Companies may have social media platforms like Facebook to thank for the increased targeting via email. After all, hackers will use phishing schemes to get victims to click on links or open email attachments that appear to be the real deal. Long gone are the days when consumers can easily identify a fake email. Social engineering has made it much more difficult to ascertain the legitimacy of an email with the bad guys gleaning a lot of that information from social media. "Attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email,” said Guntrip. “And they are continuing to use email because it’s cheap, easy to use, and above all, effective.”

Guntrip said that the email phishing has gotten even more sophisticated in that senior members of staff will be spoofed to trick an employee lower in the organization. The hackers will ask the employee to conduct tasks such as pay a creditor or provide sensitive business information but will change the destination of the payment or where the information is being sent. Beyond the financial implications of this type of attack, it could also cost employees their jobs and a company its reputation.

The good news: Guntrip said it can be countered, granted companies are willing to focus more resources and money on email defenses and inbound threat blocking. It also requires companies to train employees and build awareness about the risks. “Businesses must assume that someone within their organization will always click, and craft a security strategy that caters to that,” he said. “Phishing is the ever-present attack tactic that is used as the means to exploit the implicit trust of the victim.”