Some things never change, even — and perhaps especially — when it comes to cybersecurity.
Despite the fact that cyberattacks are becoming increasingly sophisticated (with some bad actors even leveraging artificial intelligence to launch campaigns), the most common vector remains the same: email.
Perhaps it should come as no surprise, considering how frequently it is used. According to Steven Ramirez, CISO at Renown Health, his organization receives around 3 million emails per day and sends out about 7.8 million. “It’s very important for communications,” he said during a recent discussion.
It’s also an enormous target, said Edwin Moreno (Field CTO with Mimecast), who also served as a panelist, along with Julian Mihai, CISO at Penn Medicine. According to Mimecast’s State of Email Security 2023 report, 90 percent of cybersecurity threats originate from email.
And that’s just one statistic.
In the survey, 97 percent of CISOs and other cybersecurity professionals said they had been the target of a phishing attack. The numbers seem to add up, as there were an estimated 255 million phishing attempts in 2022, marking a 61 percent increase from the previous year.
For leaders, the message is simple. “Eventually, someone’s computer will get infected,” said Mihai, which means organizations must able to react quickly and detect threats effectively. Doing so, according to the panelists, requires a dynamic strategy that leverages targeted, real-time training and carefully balances security with usability.
“No one is going to solve this overnight. It’s ever-changing,” said Ramirez. At the core must be a strong focus on “doing the basics — and doing them well.”
One of those “basics” is using tools like Mimecast Email Security, which can help reduce the number of malicious attachments and links so the organization can remain one step ahead of threats. As part of his team’s “defense in depth” strategy, Ramirez has instituted a rating system to indicate the level of threat (using on a scale of 1 to 5, with 5 being the highest risk).
The sweet spot
This is where it can get dicey. Whereas security teams might be more inclined to give high ratings, implementing too many controls can be very disruptive from a business and clinical perspective. The “sweet spot,” according to Ramirez, is at level 3, which allows for more flow, while also blocking a large percentage of messages and sending them into a quarantine folder.
Once they’re quarantined, users are able to release items that don’t appear to be suspicious, he noted. “We try to do a little bit more self-service, so that we’re not just blocking things and sending them into a deep, dark hole.”
Instead, they’re letting them back into the environment, which is enough to keep any security professional up at night. To that end, Ramirez’s team has set up secondary systems to provide another layer of protection. “The multitude of things you have to do with a single email to ensure you’re protecting your organization is vast,” he said. “It’s a continual game of whack-a-mole.”
And as tempting as it can be to adopt a zero trust-like philosophy, overly stringent spam filters can be a “big dissatisfier for folks,” said Mihai. Particularly at academic systems like Penn Medicine, where a missed notice about a grant application could have devasting effects. “Being overly tight with filters is not going to yield a lot of benefit at the edge,” he noted.
Neither is relying on banners that announce messages as external, noted Moreno. In fact, he believes constant warnings can take on a ‘boy who cried wolf’ quality. A better approach would be to deploy dynamic banners that are only included if certain criteria are met. That way, end users may not “turn a blind eye” when a notice comes up.
Ramirez agreed, adding that the last thing leaders want is for users to become numb to warnings and develop an ‘alert fatigue’-type reaction. It’s one of many topics covered as part of the ongoing training and education that needs to happen across organizations, according to the panelists.
Below are some of the best practices they recommended:
- Be succinct. At Penn Medicine, which provides monthly phishing simulations as well as more specialized training, Mihai has learned through feedback that users don’t need lengthy rundowns of current threats and suggested actions. They want to know, in a few sentences, what’s happening and what they need to do, he said. “It should be short and to the point.”
- Target training. The most optimal time to provide training? Right after someone has clicked a bad link — especially if it’s not the first time, said Mihai. “We keep an eye on cases where it can become egregious.” In these cases, users are directed to undergo a brief training session to educate them on how to avoid similar incidents in the future. Moreno endorsed the approach, adding that it’s important to strike while the iron is hot, rather than waiting until the next phishing simulation. “There are recommendations we can offer right away,” he said.
- Use data. Through their analysis of a phishing campaign, Ramirez’s team found that 78 percent of incidents happened while mobile phones were being used. “People are running from meeting to meeting checking their phones, and they click on links that they normally wouldn’t while on their desktops,” he said. And it isn’t just smartphones. “We have to look at other devices like Apple Watches and how people train their brains to look for certain things.”
- Get personal. Of course, leaders need to find a way to make email security resonate with users. One of the best ways to do that, according to Moreno, is by framing it as a personal issue. “It’s not a corporate problem; this can happen in your day-to-day life,” he said. “Make it less about the company and more around how it benefits them and their families — that tends to stick more.”
- Go with the flow. It’s also critical to remember that giving people too much, too soon can disrupt workflow, which is never a good idea. Rather, stick to things like short videos and chats that provide basic but helpful information in manageable chunks.
And while email might be the desired medium for folks in IT and cybersecurity, nurses may prefer to hear about it during the daily huddle. “You have to find the right channel to say, ‘this is what we’re seeing, and this is what we’d like you do to,” said Mihai. It takes just a few minutes, but it can have a significant impact.
“When people know what to look for, they’re quicker to report it,” he added. “And that gives us such a huge leg up on this.”
What’s just as critical as providing the right training, however, is communicating a simple yet powerful message, especially to those in non-technical roles. “No system is perfect,” said Mihai. “There are inherent weaknesses in the whole email ecosystem. And so, there’s no way to make the right decision every time,” even when artificial intelligence is involved. At the same time, leaders must constantly explain the potential consequences of one small failure. That, in combination with appropriate training, “is the optimal way to deal with this challenge,” he said.
Ramirez agreed, urging colleagues to apply the same agile approach as with any key objectives. “Put a plan together, but make sure it’s flexible.”
To view the archive of this webinar — Strategies for Enhancing Email Security While Ensuring Deliverability — please click here.