spear phishing emails – those targeted at a specific individual or company – remain a “very successful attack vector”

The expert view: How to mitigate cyber security risk

According to research by Verizon, 91 per cent of all email attacks are aimed at credential theft, Jason Steer, of Menlo Security, told a group of senior security experts from a range of industries at a recent Business Reporter breakfast briefing at London’s Savoy Hotel. He added that spear phishing emails – those targeted at a specific individual or company – remain a “very successful attack vector”.

Those at the briefing agreed that this is an almost unsolvable problem. All said their company offers staff training on the danger of clicking email links. Many send ‘test’ emails to staff and require those who click to undergo extra training.

One attendee, from a major bank, said his company had begun marking emails with “External Sender” if they originate outside the company. He said that this helped to remind them to be cautious. However, he acknowledged that this approach was likely to last only a year or so before staff become inured to it.

However, for one delegate, also from a large bank, putting the burden on employees is unfair. They are busy and lack the expertise to make security decisions. He said his company encourages staff to forward emails to IT if they are unsure.

Regardless of procedures, all attendees seemed resigned to experiencing problems from staff clicking on a link that they shouldn’t. For some, the problem is email itself. Companies exacerbate it by sending staff emails from IT, HR and elsewhere in the organisation that contain links. Instead, said one attendee, they should set an example by cutting out links in emails and referring staff to the intranet instead.

Mr Steer said that “95 per cent of staff, 95 per cent of the time, don’t need access to the original content” that is emailed to them. Automatically making a copy and delivering that to users will work just as well, he added.

There is some possibility, delegates said, that a new generation of customers are moving away from email. Younger customers prefer to communicate using messaging clients, such as WhatsApp, which solves some of the problems with email. Of course, these new platforms could become targets in their own right if they are sufficiently successful.

It can be difficult for security professionals within organisations to get resources. One key obstacle, said one delegate, is that there is often only one person who can make the decision. That person can be a bottleneck or an obstacle to improvements, particularly if they have other responsibilities competing for their time and budget.

That said, most of those at the briefing agreed that GDPR, which comes into force next year, had helped to get a lot of the necessary security measures in place. “Playing the ‘GDPR card’ has a massive impact in terms of getting executive approval for projects,” said one attendee.

For some, email attacks require Government intervention. “We’ve been lobbying for more action from the Government at national firewall level,” said one delegate. He pointed out that, in the offline world, the Government does more to protect businesses from crime. Given the scale of consequences of online crime, he argued, Government could do more.

Another attendee suggested that the Government should legislate to make three-factor authentication mandatory for banking and other important transactions. Not only would this – hopefully – improve security but also it would serve to educate the public about the need for online security in general.

This suggestion was not popular, with some attendees arguing that extra security provisions add intolerable friction for customers. Employees are, to some extent, obliged to tolerate friction but even they will find ways round security measures if they are too irritating. For some attendees, companies must simply determine the level of risk that they are willing to accept, just as they do in other areas of business.

A good starting point is to ask what customers and employees expect and then look at the risk involved in delivering it. The question then is, as one delegate put it: “What is the minimum we can spend to meet the acceptable level of risk?”

Risk can be mitigated partly by insurance, which is growing in this area. Most agreed, though, that insurers still lack the expertise necessary to properly assess cyber security risks, which means insurance is still more expensive than it should be.

A lot of businesses want to benchmark based on what their competitors are doing. “We just need to be a less appealing target than the next guy,” said one attendee. But such is the level of secrecy in the industry that it can be hard to find out what your competitors are spending. Worse, the knock-on effects of a company – a bank, for example – going out of business because of a cyber attack could damage every company in the sector.

Perhaps some form of group solution is necessary after all.


Get our latest features in your inbox

Join our community of business leaders