Email: Still the number one threat vector
Article by Proofpoint resident CISO for APAC Yvette Lejins.
Many of the common cyber-attacks facing Australia's businesses are nothing new. The modern threat landscape contains several familiar foes, from malware and ransomware to phishing.
However, something that has changed in recent years is the level of preparation and sophistication behind these attacks. Traditionally, cyber-criminals may have obtained a set of breached credentials and spammed every one with a template message, looking to encourage recipients to click on links and drop malicious payloads.
Today, there is much more happening in the background. Cyber-criminals are now far more likely to research their targets, honing messaging to each potential victim. The scourge of business email compromise (BEC) has arisen from this more methodical approach. Here, bad actors will communicate via a spoofed or hijacked account to relieve unwitting victims of credentials, data, and, of course, money.
But whatever the method and level of sophistication, modern cyber-attacks tend to share one common trait – they target the inbox. As recently reported in the FBI's Internet Crime Report, email remains the number one point of entry for cyber-criminals.
And it's an issue Australia's CISOs know all about. The Australian Cyber Security Centre (ACSC) received almost 5,000 reports of BEC in the 12 months up to June this year, with estimated losses totalling over $80 million.
Such is the scale of the issue that the ACSC recently launched its 'Act Now Stay Secure' campaign, designed to raise awareness.
But protecting inboxes takes much more than government initiatives. It requires a multi-layered cyber-defence – combining people, processes, and technology.
Counting the cost of email attacks
The trend toward more sophisticated, targeted email attacks is unlikely to slow any time soon, for one good reason – it works.
The cost of phishing attacks has almost quadrupled in recent years, reaching $14.8 million in 2021, up from $3.8 million in 2015. Organisations worldwide are experiencing severe financial consequences from several other common attacks, too – all of which originate in the inbox.
The cost of resolving a malware infection has more than doubled in the past six years, increasing from $338,098 to $807,506.
Meanwhile, the average cost of a BEC attack now stands at nearly $6 million for a large organisation, with ransomware costing $5.66 million. Just $790,000 of this figure accounts for ransoms paid to cyber-criminals, highlighting the hidden and indirect impact of a cyber-attack.
One of the most overlooked and costly impacts of a successful phishing attack, for example, is loss of productivity. In the US, the average employee loses seven hours per year as a result.
Whether ransomware, phishing, BEC or any other threat, attacks on the inbox work because they are designed to fit in. A successfully crafted email can bypass perimeter defences in one click without raising suspicion, leaving employees as the last line of defence between the organisation and those looking to cause it harm.
That's why successful email protections must go far beyond firewalls and spam filters. Every person in an organisation must know how to detect and deter email threats and the consequences of failing to do so.
Winning the fight for the inbox
Sophisticated, people-focused attacks on inboxes require a sophisticated, people-focused defence. This starts with the basics: email protections that filter and block malicious messaging before it reaches the inbox, along with simple steps like multi-factor authentication for all users.
Beyond this, every modern organisation should have domain-based message authentication, reporting and conformance (DMARC) protections in place. A DMARC solution can help protect domains from unauthorised use and spoofing, as well as helping to authenticate the domains of other senders.
But tools and technologies alone are no match for the targeted social engineering tactics of today's cyber-criminals. That's why any protections must be backed by clearly defined best practices. Security policies should govern everything from basic password hygiene and credential misuse to authorised applications and BYOD.
Finally, since people are at the heart of most cyber-attacks, they should be at the heart of any cyber-defence. This is only possible through comprehensive, tailored, and ongoing security awareness training. Training programmes must encompass much more than multiple-choice tests or jargon definitions. Every team member must fully understand the threats they face, how and where they are likely to encounter them, and what to do when that occurs.
Because when people understand the risk that their behaviour poses to an organisation, that behaviour changes. So much so that security awareness training has been shown to reduce phishing expenses by more than 50% on average.
Just as cyber-criminals are ever honing their methods to increase their chances of success, so must security teams. If not, there is only likely to be one winner.