Misplaced responsibility: why email security requires technology, not training

We think of email as safe in part because nobody likes to imagine that something so integral to their personal and professional lives – indeed, something that it would be hard to imagine modern life without – could pose a security risk. 

But for all its longevity and ubiquity, it’s important that we see email for what it is: an inherently vulnerable and often unstable form of communication, something that has a long – and lengthening – history of breaches and attacks. 

In fact, when beta testing Pernix, our new cloud-based email defence system, we recently found that a customer with around 1,000 email accounts was, over a three-month period, subjected to 139,136 impersonation attempts (including phishing and spear phishing attempts), 80,148 samples of malware, and 1.4 million spam emails. 46 impersonation attempts per user, per month is clearly a huge concern.

These attacks are too much for end-users to deal with – which is why we must resist burdening them with it. One of the more persistent IT industry clichés is that human error is the root cause of every system violation and issue. The supposed ‘threat within’ is the manager, the customer service representative, or the executive who falls for a phishing scam. Only by reforming their attitudes and their practices can they stay safe.

This is misguided. We don’t blame victims when they are assaulted or robbed, and we shouldn’t blame them when their emails are compromised. Email’s insecurity is innate: it was not designed to be impenetrable. End-users are always at risk.

But why are they so vulnerable – and if they can’t avert cyber-crime, what can?  

A beast with many heads

Part of the problem is that we tend to assume there are tidy, one-size-fits-all countermeasures for attacks that come in many forms and exploit many different weaknesses. Phishing and malware attacks come in a variety of flavours and can be combined for maximum destructive potency. 

Tasking end-users to combat this in a generic sense is pointless, and getting them to combat it on a granular level requires a level of time and ongoing investment that is unsustainable for most businesses. There are too many attack techniques to mention, and certainly more than the average end-user can handle. A trained end-user might be able to cut off one head, but will they be able to cut off the two that sprout in its place? 

Train in vain? 

Business data is far too valuable to be defended by the average end-user. They cannot identify every attack vector: the solution lies in a little awareness training, combined with investment in security expertise.

 

Imagine the investment required to provide everyone who uses a system a comprehensive education in cyber security. Even if they acquire the requisite knowledge – a knowledge that is sometimes even missing in seasoned CISOs –what then? Are they to stay abreast of every new cyber security development? Fastidiously monitor possible attack vectors? If so, when will they possibly have the time to do their jobs?

In most cases, user training won’t prevent cyber-attacks. Security departments would be better served by teaching them to expect attacks – a level of cynicism, if you will – and to report them to the business’ specialists if they notice anything suspicious.

A trained end-user might gain a rudimentary understanding of phishing and malware, but they likely won’t be able to notice the tiny, borderline-imperceptible changes to emails that look just like regular corporate communications; they won’t know how to tell a dangerous attachment from a safe one; they won’t be able to tell which login pages are official and which are fake.

What’s more, those are fairly routine. What will they make of something like Punycode, which substitutes Unicode characters for the Alphabet – thereby making domain impersonation much easier? When regular English characters can be substituted for Cyrillic near imperceptibly, all bets may be off. End-users cannot be expected to forensically examine every message they receive, and regardless of how much they’re trained, they won’t.

Behind the first line of defence 

End-users are often treated as the first line of defence. In truth, they should be behind the line of defence. Employees should not be treating email as a ticking time bomb, but an asset: that they are not cyber security experts is not their fault and no cause for shame. Technology should be an enabler, not an obstacle. 

Intelligent quarantine tools provide a technological means of addressing this threat by preventing insecure emails from ever reaching an inbox. By performing routine content checks, they are far more equipped to manage, isolate, and mitigate phishing and malware attacks than end-users. Machine learning enables this technology to learn and improve in efficiency as it receives new data about attacks. 

Email security is too complicated, too important, and too vulnerable to be left to anyone but trained experts. The idea that end-users can be these experts is a fantasy. Unless they work in an IT or cyber security department, their duty is not to seek out and eliminate attack vectors. Asking them to do so is distracting them from their core responsibilities. 

It’s sometimes said that a human being is, in fact, more intelligent than any computer could ever hope to be. But whether this is true or not, it’s worth remembering that this does not necessarily make them more reliable. Training an employee to take on a cyber-criminal is like training an accountant to take on a prize-fighter: their disciplines and skillsets are entirely different, and entirely mismatched.  

Real expertise, when used correctly and bolstered by technology, can be a bulwark in the fight against phishing, malware, and all other threats to email security. Accept no substitutes. 

Nick Yarham, Client Engagement Manager, Corvid
Image source: Shutterstock/Bloomicon