t cht lk
To address this, organisations must consider
how often they are being targeted, the risks
these attacks pose and how prepared they –
and, more importantly, their workforce – are.
Employee education and security awareness
is often the difference between an attempted
cyberattack and a successful one.
How much of a target are emails and
why, and what threats are introduced
via email?
Email is and will remain the initial threat
vector of choice for most actors.
Email-based threats are among the
oldest, most pervasive and widespread
cybersecurity threats hitting organisations
worldwide. From massive malware
campaigns targeting millions of recipients
with banking Trojans to carefully crafted
email fraud, the email threat landscape
is extremely diverse, creating a wide
range of opportunities for threat actors to
attack organisations.
More importantly, email allows threat actors
to attack individuals within an organisation,
a far more lucrative and effective approach
than targeting infrastructure. These threats
must continuously grow in sophistication
as humans become better at detecting
them over time.
Credentials are often phished via email – a
method of attack that remains alarmingly
effective. Cybercriminals are increasingly
using compromised credentials to access
email accounts, sensitive information and
corporate systems.
Proofpoint research found that account
compromise was in fact the leading method
of cyberattack in the UAE in 2019, impacting
28% of companies, followed by credential
phishing (20%) and insider threats (17%).
Phishing and impersonation attacks/Business
Email Compromise (BEC) attacks accounted
for 15% each amongst the organisations
targeted last year.
In line with this, email fraud via Business
Email Compromise (BEC), in which an
attacker gains access to an email account
and spoofs its owner, is on the rise globally
– and is now being described as one of
the most expensive threats on the cyber
landscape. In fact, the latest FBI report
“
EMAIL-BASED
THREATS ARE
AMONG THE
OLDEST, MOST
PERVASIVE AND
WIDESPREAD
CYBERSECURITY
THREATS HITTING
ORGANISATIONS
WORLDWIDE.
estimates total worldwide losses as a result
of BEC at US$1.7 billion in 2019.
Evidently, the threat outlook is fastevolving
and we will continue to witness
cybercriminals trying to gain foothold
and steal sensitive information via emailborne
attacks.
How important is human behaviour
in preventing these types of attacks?
Cybercriminals are increasingly targeting
people rather than infrastructure. In fact,
99% of cyberattacks require human
interaction to be successful.
CISOs and CSOs in the UAE recognise this
human risk to their organisations, with 39%
believing that their employees make their
business vulnerable to a cyberattack.
Common security errors made by employees
according to CSOs and CISOs include poor
password hygiene (29%), mishandling
sensitive information (25%), falling for
phishing attacks (24%) and clicking on
malicious links (20%). Interestingly, 19%
cited criminal insider threats as a growing
concern for businesses.
Despite facing a fast-evolving threat
landscape, 75% of CISOs and CSOs in the
UAE admitted to training their employees
on cybersecurity best practices as little as
twice a year or less. Meanwhile, only 23%
Emile Abou Saleh, Regional Leader – Middle
East, Turkey and Africa, Proofpoint
of organisations in the UAE train their
employees more than three times a year.
Organisations must ensure that their
employees are equipped with the
knowledge and the tools to defend
against all manner of threats. Employees
at all levels must understand how
simple behaviours – password reuse and
76 INTELLIGENTCIO www.intelligentcio.com