For Internal Email Threats, Consider Employee Behavior
 

Editor’s Note: Internal email threats of all kinds are increasing, with Mimecast research showing that threats caused by careless users, compromised accounts and malicious insiders have all increased at least one-quarter in the last year.

What’s your plan to combat this growing threat vector?

We asked Sam Curry, chief security officer at Boston-based cybersecurity firm Cybereason and member of the Cyber Resilience Think Tank, to share his thoughts on how best to handle internal email threats.

According to data from Mimecast and Vanson Bourne, the majority of IT decision makers are not confident that their employees can spot internal threats or prevent them. In your opinion, why aren’t internal threats considered to be as risky as external ones?

Humans are notoriously bad intuitively at being able to tell relative likelihood of things. We fear, for instance, plane crashes far more than car crashes intuitively; but car crashes are statistically far more likely. That which grabs our attention, is visible and recent and what we can act on will be foremost in our minds. The same is true with an insider attack—the data is hard to come by, it’s hard to act and it can and has been ignored for a long time. What really matters is the data.

In your experience, what is the most common type of internal threat actor – malicious, accidental or careless?

The most common, by far, is accidental and careless internal incidents; but the most damaging are malicious. Just because someone has lost data by accident doesn’t mean someone who can realize its value or use it to cause material harm is present and ready to use it. However, when someone intentionally targets and takes action to obtain data, they will maximize its value for their purposes, which increases the potential material damage that is caused.

Cybersecurity has become mainstream. Does some onus fall on employees to practice smart email behavior? Or do you think the onus is on the organization to make it a known issue?

Security that doesn’t consider how people and users really behave is bad security. We often hear, “we had a policy but the user didn’t follow it.” The best designed policies are like good agile computing; they are user-centric and don’t resist the user’s natural inclinations. Having said that, the onus falls on both the user and the organization to practice smart security. It’s not enough to say this is “someone else’s problem,” the burden is asymmetric between users and organizations, but there is enough responsibility and accountability to go around.

What are some steps organizations can take to make employees more educated, aware and prepared to defend against email-based attacks?

Reward good behavior and don’t just punish bad. We often vilify and ostracize transgressors, when really we should be seeking to take that “spidey sense” moment that something isn’t right and change the reaction from one of fear of looking stupid or fear of not fitting in to a chance to be a hero in the eyes of the company.

Why not have a “Saved the Company” award every quarter that highlights someone who listened to the spidey sense and call them out and give them a financial reward? If there isn’t someone, take someone who didn’t fall for a phishing test and submitted the suspicious email anyway – they don’t know it wasn’t a real attack, and you’re rewarding the right behavior!

According to the same research, the CEO is commonly cited as a “weak link” when it comes to sending sensitive information to the wrong people. Do you think awareness and general attitude toward security starts at the top? What are some steps security professionals can take to better inform – and prepare – the C-suite?

Speaking truth to power and educating your boss are both difficult and potentially career-limiting moves. However, they must be done. If you are to have integrity and also want to improve the company, executives need to be briefed and trained even more than other employees. Whaling attacks are a real thing.

Use external consultants and well-known names if you must to make it happen. But get the time to do it and to keep it fresh. And if you care about this and the company punishes you for it, it probably isn’t the right culture for you. Brush up the resume and look around proactively.

Do most organizations have the right technology in place to deal with internal email-based attacks? How can they improve or update what they use?

Most organizations don’t have the right technology, the right processes or the right policies to deal with these attacks. It’s critical that companies look at all three and how they operate together to get ahead of the email threat vector.