by Steve Havert (Independent IT Consultant with thirty-six year IT career working in every facet of IT).
According to a recent survey of 600 IT security decision makers it was found that :
- 83% of IT security managers think that email is one of the most common sources of attack.
- 64% believe email attacks pose a “high” or “extremely high” threat to their organization.
- Despite this awareness of the risk the survey found that 65% do not feel equipped and up-to-date to cope with the risks posed by email threats.
The question that these results raise is: why the inverse relationship between perceived risk and confidence in being able to mitigate the risk? Let's examine some of the reasons why this is the case.
Why do IT pros feel overwhelmed by email threats?
One possible reason that an IT security manager may not feel confident is that they have experienced an attack which caused significant damage – either in terms of lost data, lost productivity, direct financial loss or some combination of those. The fact that their security measures did not successfully deter the attack could well make them feel less confident.
Interestingly, of the 53% of the respondents who indicated that they had experienced an email hack or breach
- 34% feel unequipped to deal with one
- 19% responded that they feel equipped and ready for the next one.
Presumably they learned a great deal from the attack and applied the lessons learned by implementing changes in policies, procedures, technology, etc.
The analysis of the data from the survey grouped the respondents into five personas (categories): Apprehensive, Nervous, Battle-scarred, Vigilant and Equipped Veteran. The Apprehensive persona represents the respondents who felt least equipped while the Equipped Veteran persona represents the most confident group. Three attributes of these persona correlate with the degree of confidence: organization size, C-suite involvement and security spending as a percentage of overall IT budget.
Does company size affect level of confidence when it comes to security?
While organization size was not a perfect correlation, for the most part the confident IT security managers worked for larger corporations. The two least confident groups, Apprehensive and Nervous, tended to work in companies with less than 450 employees.
Vast majority of SMBs are ill-equipped to deal with email or cyber threats
The two most confident groups, Vigilant and Equipped Veteran, tended to work in companies with more than 800 employees. My fifteen years’ experience providing IT consulting services supports this finding. The vast majority of my small business clients were ill-equipped to prevent or deal with an email cyber-attack prior to my working with them. Many of them had a home network type router/firewall, no anti-virus or only anti-virus programs that they could get for free, no spam filtering service or software, an inadequate or no backup system and no company policies regarding email security.
Many CEOs and small business owners are sales people and don’t appreciate the importance of email security
Their backgrounds tend to be in sales, operations management, finance or marketing. Therefore, they have had little exposure to IT issues other than as a hardware and software user. Unless their company has experienced a serious IT security breach or they have experienced one personally, they tend to discount the threat posed by malicious emails.
The C-suite individuals I’ve worked with who had a personal experience with malware (often due to opening an infected email on their home computer) or their personal email account being hacked (because their password was something obvious or easy to crack – e.g. “password”) were the only ones that emphasized the importance of IT security as a need when requesting consulting services.
Why getting agreement for security spend is often difficult
When the C-suite doesn’t acknowledge the critical importance of email security, the portion of the IT budget allocated to it reflects this bias. They understand the need for
- new servers,
- faster networks,
- larger data storage capabilities
- updated software.
These items increase productivity, are necessary for company growth and represent an investment in the company’s future; the executive gets it. If they have not experienced a security breach as a result of an email, the executive may have difficulty comprehending spending money to avoid something that may not happen.
The “isolated incident” isn’t isolated, it represents the small crack in the dam
Even when it does happen, some executives see it as an isolated incident (especially when the impact is small). They don’t understand that their company’s IT infrastructure is constantly being bombarded by infected emails, spoof emails, spam, etc. The “isolated incident” isn’t isolated, it represents the small crack in the dam which allows a drop or two of water to leak through but is really the beginning of the dam’s eventual failure.
Being “Apprehensive” or “Nervous” about your company’s preparedness for an email threat is not necessarily a bad thing. In fact, it seems a very appropriate attitude given the likelihood of a successful attack and the disaster potential of that attack. (Anyone who has experienced a successful CryptoWall attack knows how disastrous one can be. The latest version seems to be even more diabolical than previous versions – in some cases encrypting data just prior to being backed up and then decrypting it after the backup, resulting in encrypted data in the backups going back several weeks or months.)
When an attack occurs and is successful, it will be the person responsible for IT security that will have to answer for it.
Those feelings of apprehension and nervousness can and should become the motivation for implementing the measures that will increase the security of the organization’s email. Whether the problem is lack of C-suite engagement or lack of budget allocated to email security, the IT security manager/director/VP is responsible for ensuring the security and integrity of the organization’s data and electronic communications. In this role, they may need to become salesmen, preachers, even zealots, in convincing executive management of the critical need to fully fund email security measures.
In addition to funding for security technology, they need to enact policies and procedures designed to educate and regulate employees so that they understand and will self-manage the threat posed by malicious emails. When, not if, an attack occurs and is successful, it will be the person responsible for IT security that will have to answer for it. I doubt that “I tried to warn you” will be considered an acceptable excuse by senior management if that warning wasn’t compelling, loud and continuous.
C-suite must acknowledge the critical importance of email security. When, not if, an attack occurs and is successful, it will be the person responsible for IT security that will have to answer for it. The “isolated incident” isn’t isolated, it represents the small crack in the dam.
Whether the problem is lack of C-suite engagement or lack of budget allocated to email security, the IT security manager/director/VP is responsible for ensuring the security and integrity of the organization’s data and electronic communications. In this role, they may need to become salesmen, preachers, even zealots, in convincing executive management of the critical need to fully fund email security measures.
About Steve -Steve Havert is an independent IT Consultant based in Seattle, WA. He has spent his thirty-six year IT career working in every facet of IT for large corporations as well as his own IT consulting business in Orange County, CA. He continues to work as a freelance consultant while pursuing a second career in photography. * Survey referenced was completed by Mimecast in February of this year.