Employees – the weakest link in email security?

Email is not only one of the most important channels of communication in day-to-day business, but unfortunately also one of the biggest gateways for cyber attacks. According to the safety and network specialists Barracuda Networks, 91% of all attacks start with an email. Gateway solutions such as Barracuda Essentials therefore represent an important first line of defence against the dangers posed by malicious emails. Not only do such solutions reliably recognise spam and phishing emails, they also provide protection against sophisticated attacks like zero-day attacks in which cyber criminals exploit unpatched security flaws in firmware and software in order to release malware or steal data.

Thanks to the use of cutting-edge techniques such as sandboxing and artificial intelligence, it is becoming increasingly difficult for cybercriminals to overcome these defence systems. They are, therefore, increasingly mounting targeted attacks on workers by sending personal messages tailored to the recipient. Such emails are often not recognised as spam or phishing attempts by the defence systems, and these messages are therefore able to thwart the shield settings in place.

Unfortunately, this method has a high rate of success – in the hectic rush of day-to-day work, the recipient opens the attachment, clicks on the links it contains or carries out instructions that appear to come from the boss, without carefully checking the legitimacy of the message or consulting in-house security experts. According to a worldwide survey carried out by B2B International on behalf of Kapersky Lab, 46% of all IT security incidents can be traced back to such misconduct by employees. The market research company Osterman Research records similarly alarming results: of the companies surveyed by Osterman, (34%) had been victims of successful email phishing attacks, 17% had seen sensitive or confidential data accidentally or maliciously forwarded by email, 14% reported successful spear phishing attacks on managers and 11% had been affected by CEO fraud (you can find out more about spear phishing and CEO fraud in this article).

The significance of the human factor in IT security has also been clear to managers for a long time. According to the study ‘The email threat: the main concerns of EMEA IT stakeholders and the importance of staff training’, which was published by Barracuda Networks, 79% of the technicians and managers asked believe that improper employee behaviour is a bigger threat to email security than inadequate or incorrectly configured technical equipment. The survey participants see departments such as finance, sales and marketing and customer support as particularly vulnerable, because these staff members have access to particularly sensitive information and systems.

Awareness training – a good investment in IT security

It is therefore clear to most of the managers surveyed that any improvement to IT security must involve staff. Eighty-nine percent (89%) think training programmes are ‘very important’ (54%) or even ‘extremely important’ (35%). The following principle options are available to increase staff awareness:

– Face-to-face training. This traditional method of instruction allows a direct exchange between trainers and participants. The security specialist giving the session can individually respond to employees’ questions and fill their specific knowledge gaps. Theoretical training should be supplemented with live hacking demonstrations in which trainers show on the ground how easily technical security measures can be overcome by misconduct. Face-to-face training is, however, expensive and time-consuming. In addition to the expense of hiring training personnel, productivity losses of the participants are also incurred, and sometimes travel costs. Moreover, it is only worth conducting training sessions of this kind with a small number of participants, and they must therefore be performed several times. Because of the large amount of effort and the costs involved, the intervals between training cycles are usually long. In the meantime, however, the lessons learnt fade from memory and the danger of misconduct and carelessness rises again.

– Simulated attacks. Unannounced simulation tests consisting of common attack scenarios can not only increase employees’ awareness of existing cyber threats, but also provide those responsible for IT security with a good overview of the current status of staff security. This enables specialists to develop further targeted measures and to directly address those people who exhibit particularly risky or reckless behaviour.

– Computer-based training (CBT). In this variation, the staff member individually undertakes training on their PC at a time that suits them. Training modules can build on one another and must be completed at regular intervals. This method ensures that the security awareness of employees always remains at a high level and responds to new developments. Such training sessions are particularly effective if the example attacks are tailored to the day-to-day workings of the specific department and position of the staff member.

An example of a solution that can be used for both simulated attacks and computer-based training is ‘Barracuda PhishLine’. It offers numerous simulations and training topics that can be individually adapted to the job profile of a staff member and the threat situation in the company. In addition to planned regular training sessions, spontaneous actions are also an option, for example in order to provide targeted training to a worker who was uncertain in a simulation test or exhibits a specific risk profile. The integrated phish-reporting button enables staff members to report suspicious emails to IT security officers.


Technical measures such as spam filters and email gateways are necessary and useful tools to protect companies from dangerous emails. However, they fall far short of what is needed. In fact, the greatest risk facing email security is the misconduct of staff members. This is responsible for a large proportion of all security incidents and successful attacks. Companies should therefore invest more in training their employees, not only to increase understanding of the risks at hand, but also to coach staff in how to respond correctly in the event of suspicious-looking messages. Face-to-face training sessions are not entirely suitable for this. They cost a great deal of time and money and are therefore usually only undertaken infrequently. Computer-based training modules, which must be completed at regular intervals, are a better and more efficient option. It is best if these are combined with unannounced simulated attacks using test phishing emails. In this way, staff awareness of the dangers of email communication will be improved in a sustainable, long-term and efficient way.

– Written by Chris Ross, SVP International at Barracuda Networks

Chris Ross