Reducing email threats: 5 tips for cybersecurity awareness month
By Jennifer Rideout
Last year, email spam turned 40. Since 1978, spam has grown exponentially in prevalence, inundating inboxes with unwanted offers for pharmaceuticals, diet products and job opportunities. Not only that, it’s been joined by its far more dangerous cousins, phishing and malware.
Today, the volume is staggering — 85 per cent of all email in April 2019 was spam, according to Talos Intelligence. The volume of unwanted email is on the rise too; spam hit a 15-month high the same month.
You could argue that email makes it almost “too easy” for scammers. Email forces a user to read and make assessments about what they receive, then make decisions as to what they open or click as a result. Just the right amount of social engineering – exploiting the individual’s good nature – can push them to action. It’s this social engineering that not only makes email an enticing delivery vector, but also so challenging to defend.
Cyber and email security awareness are vital for manufacturers and their employees as more advanced solutions, such as the IIoT, are adopted across the factory floor.
No wonder email is one of the primary challenges that keep chief information security officers (CISOs) up at night. In a recent CISO Benchmark Study, we learned that 56 per cent of CISOs surveyed felt that defending against user behaviours, such as clicking a malicious link in an email, is very or extremely challenging. This ranks higher than any other security concern surveyed – higher than data in the public cloud, and higher than mobile device use. Even if your manufacturing organization doesn’t have a CISO, email security needs to rank high on your priority list.
So how do you secure something that’s both a necessity and a risk at the same time? At least for manufacturers – unlike securing industrial zones or managing physical access permissions – email security best practices are applicable across industries, meaning that what’s proven to work for a financial institution or retailer will work for you, too.
Here’s how you can keep your business safe and reduce the risk that email threats pose.
Run regular phishing exercises.
Your employees are your greatest defense against cybersecurity threats, especially when it comes to tailored phishing attempts. Employees that can learn to recognize a phishing attempt outright can stop the number one source of endpoint compromise.
To raise awareness, run regular phishing exercises to test and educate users. Emulate the latest real-world techniques to keep people abreast of what they may encounter. For users that fall for emulated phishing attacks, provide education immediately by directing them to webpages with further information about phishing. For high-risk users in your organization, where significant damage could occur if they fall for a ruse, practice tailored phishing campaign exercises.
Use multi-factor authentication (MFA).
If your employee’s email account credentials are successfully stolen, multi-factor authentication can prevent an attacker from gaining access to the account and wreaking havoc.
Here’s how it works: let’s say that someone does manage to get a hold of your login credentials, or someone’s on your network, and attempts to log in. With MFA, a message is automatically sent to the owner to check if they just attempted to log in. The user, in this scenario, realizing that they did not just attempt to log in, denies the request outright. The attack is thwarted.
Keep software up-to-date.
In some cases, emails that include malicious URLs may point users to pages with exploits. Keeping browsers and software updated, as well as any plugins, helps alleviate the risks posed by these attacks.
Be careful with requests to log in.
Malicious actors, intent on stealing login credentials, go to great lengths to make their pages look like the login pages you would be familiar with. If encountering such a login prompt, check the URL in the address bar to ensure it is correct. If encountering a pop-up style window, expand the window to make sure that the full URL, or at least the full domain (i.e. www.yourcompanyname.com), is visible.
Make sure the email sounds plausible.
In the case of scams like digital extortion and advance fee fraud, the senders often craft elaborate stories to try to convince you that the email is legitimate. Does the scenario as laid out make sense? Are there any holes in their stories, from a technical side, financial process perspective, or other? If so, approach with an eye of skepticism.
Cybersecurity awareness and email security awareness are vital for manufacturers and their employees as more advanced solutions, such as the IIoT, are adopted across factory floors. Keep your networks and data safe this cybersecurity awareness month with these tips, and don’t let hackers win.
Jennifer Rideout is the manufacturing marketing manager for Cisco Canada. She is responsible for developing go-to-market strategies for the manufacturing sector in Canada, including channel alignment and content development.
This article originally appeared in the October 2019 issue of Manufacturing AUTOMATION.