No user awareness training? Prepare for coal in your stocking.


There’s no time of year where your employees are more susceptible to attacks than the holidays. They’ll be inundated with emails from retailers offering the best deals. But not every email will be so innocent.

We’ve been hearing about organizations this year who have come very close to wiring out tens of thousands of dollars of iTunes gift cards to bad actors during the holidays. If your C-suite thinks it can’t happen to you—they’re wrong.

In this installment of Bridging the Cyber Divide—our blog series focused on helping IT professionals at small-to-medium sized organizations make the case for enhanced security solutions—we’re looking and how the holidays can be a vulnerable time without the right security and education in place.

The reality of holiday season cyberattacks

Cyberthreats are a constant concern for every organization at all times. But there’s probably no specific time of the year that should be more concerning to you than this one.

All it takes is one bad click to bring down your organization. We’ve found that about 95% of all cyberattacks start with human error. Back in the first edition of this series, we told you about a small Midwestern retailer that was forced to go out of business after a ransomware attack caused when an employee clicked on a seemingly safe link from what appeared to be a catalogue.

It may seem like a cliché, but it’s true: all it takes is one click, or one ill-informed action, to bring down your business, and we’ve seen it happen time and time again.

At Mimecast, we hear about these kinds of issues all the time, especially this time of year. Anecdotally, we can tell you that among SMBs, we’ve heard of three separate recent instances where companies came close to wiring out between $50,000 and $100,000 in iTunes gift cards to fraudulent actors because it’s the holidays. We’ve also heard of holiday-related tactics being used in credential-harvesting schemes to infiltrate networks.

In addition, the number of popular retailers that have been breached continues to grow, with at least 16 major ones hit in the last two years. Some of these, including Macy’s, Sears, Adidas and Lord & Taylor, are likely the types of places your employees are shopping online this year and may be doing it using corporate-issued devices on your corporate network. In a recent Mimecast survey, 69% of respondents admitted to using work devices for personal use.

This time is year-end for many organizations, so your salesforce is likely working on those last-minute deals and your finance team is gearing up to prepare those final numbers for the year. With that in mind, it’s probably the worst time of year your network could potentially go down as well. According to the 2018 Mimecast State of Email Security report, the average downtime from a ransomware attack for organizations globally is three days.

Why awareness training matters

Cybersecurity awareness training goes hand-in-hand with any kind of cybersecurity technology. Organizations that don’t ask users to commit to regular, interactive and immersive cybersecurity awareness training aren’t doing enough to combat the serious potential consequences of an avoidable breach. The reality is human error happens all the time in the work place: a bad link gets clicked, money gets wired to an impostor, files get left open on an unlocked computer.

It can’t simply be a box that’s checked when a new employee is onboarded and then perhaps shown annually as part of an hours-long presentation. Cybersecurity awareness training has to be done consistently and over the full length of an employee’s tenure at your company to be truly effective. It also needs to be memorable and interactive in a way most training seminars simply aren’t.

So, when pitching the idea of advanced security technology to your C-suite, adding in robust, comprehensive and effective cybersecurity awareness training for all employees must be part of the pitch. Here are some points you can bring up to the skeptics:

  • The State of Email Security Report found that 88% of organizations that experienced an internal security incident came about because of careless employees. Along similar lines, 31% of organizations said a member of their C-suite had shared sensitive business information with the wrong person.
  • Traditional or out-of-the-box cybersecurity measures such as anti-spam or anti-virus platforms are becoming increasingly easier for attackers to bypass, and every organization is a target regardless of size. Without both advanced technology to stop attacks and robust user awareness, any organization is that much more vulnerable.

Here’s wishing you a healthy and safe holiday season. We’ll see you in 2019 for the next edition of Bridging the Cyber Divide.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Cyber Monday and Holiday Season Security Woes

Here's how to get your security prepared…

Here's how to get your security prepared for holiday season.… Read More >

Boris Vaynberg

by Boris Vaynberg

VP and GM for Advanced Threat Detection

Posted Nov 29, 2018

Bridging the Cyber Divide – You’re the Weak Supply Chain Link

Cyberattackers are going after you to ge…

Cyberattackers are going after you to get to your biggest cu… Read More >

Ed Jennings

by Ed Jennings

Chief Operating Officer

Posted Nov 27, 2018

December ESRA Report: Aggregate False Negative Rate of Incumbent Email…

Learn more in Mimecast’s latest Em…

Learn more in Mimecast’s latest Email Security Risk As… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Dec 07, 2018