The use of emails has dramatically increased with more people working from home due to the Covid-19 pandemic.
One of the knock-on effects is a spike in email cybersecurity threats across the globe.
Companies are ill-prepared for cyber criminals taking full advantage of the rise in hybrid offices
And South Africa has not been spared, says Mimecast Limited, which is a UK- headquartered company specialising in cloud-based email management for Microsoft Exchange and Microsoft Office 365, including security, archiving and continuity services to protect business mail.
“There’s no question that the pandemic-driven shift from office to home-based work was a major contributor. With the flip of a figurative switch, interaction and collaboration shifted to digital only, and companies had to scramble to adjust,” the company says in a report titled: “Securing the Enterprise in the Covid World – The
State of Email Security”.
“Cybersecurity teams, many of which were already resource poor, had new tools, systems, devices, and locations to protect overnight. And where most of the world saw crisis, cybercriminals saw opportunity, a fact that is reflected by the level of attacks organisations experienced during this period.”
According to the document, email threats rose by more than 64% during 2020 compared to the year before. Mimecast commissioned research firm Vanson Bourne to conduct a global survey of
1,225 information technology and cybersecurity professionals from 10 countries during February and March of 2021.
One of the key findings on increase in cyberattacks is that employees are not tech savvy. While naïveté has been significant across the board, it has been especially significant in certain countries.
“In the UK, the Netherlands, South Africa and the United Arab Emirates, half or more of the survey respondents (51%, 50%, 52% and 50% respectively) view the lack of cyber sophistication among employees as a major threat to their companies’ security, compared with 43% globally,” the report reads.
A prime target is staffers newly deployed to work from home, “where their attention is often diverted by household distractions and at a time when vulnerability to emotional or fear-based attacks has been high”.
“Threat actors were quick to take advantage of this with a flood of new phishing attacks. The increase in volume was also likely an attempt to overwhelm security operations centres with alerts in the hope that some of them would be overlooked.
“This uptick in cyber fraud has taken a toll and exacerbated many of the threats that companies already faced. For example, since the onset of the pandemic, the Mimecast Threat Centre found that employees worldwide are clicking on malicious URLs embedded in emails three times as often as they had before,” it says.
Around 52% of the companies surveyed cite the growing volume of attacks among their top challenges.
But despite these threats, the report says corporate dependency on email continues to grow, which heightens the risks for companies.
A total of 70% of the respondents consider it likely that an email-borne attack will damage their business during 2021, 39% believe it is extremely likely, and 5% say it is inevitable. This is a significant increase from 59% in 2020.
Despite this very real threat and the damage to businesses, only one in five of those interviewed have ongoing cyber awareness training, while 13% still do not have an email security system.
According to the research, there has been a proliferation of different types of email- based attacks during the pandemic. However, phishing – where a person steals the sensitive information of user – has been the predominant threat, and 63% of the respondents are facing a surge in targeted emails that attempt to lure employees into
clicking on a malicious link or attachment.
“Some messages are familiar and crude, such as those seeking to solicit sympathy for the sender in order to defraud the recipient of money. Others are far more sophisticated and prey on Covid-related fears by purporting to contain important updates or officially sanctioned directive,” the document reads.
No matter the ploy, in most cases cybercriminals are looking to trick employees into revealing their log-in credentials. Business email compromise attacks in the form of impersonation fraud rose significantly, with 51% of the participants reporting an increase. There has also been an increase in data breaches, emails that make fraudulent use of a company’s brand to deceive the recipient as well as creating counterfeit websites.
WHAT ACTION IS NEEDED
The research shows that despite a loss in revenues due to the pandemic and resulting lockdowns in the 10 countries surveyed, many firms have increased their cybersecurity budgets and hired additional cybersecurity experts.
But most companies do not have cyber resilience strategy, which allows them to lay the groundwork for more formidable defences.
“Much work…remains to be done. Expectations of a damaging email attack among survey respondents remain high, many employees are still ill-equipped to recognise and cope with a cyberattack, while far too many companies still lack basic email protections,” the report reads.
It says to deal with these challenges, cyber preparedness and a resilience strategy cannot be overstated.
“Likewise, it stands to reason that companies using advanced technologies such as AI and layered email defences – while also regularly training their employees in attack-resistant behaviours – will be in the best possible position to sidestep future attacks and quickly recover.”
According to a study by IBM Security examining the financial impact of data breaches which was released in August 2020, the average cost for South African companies interviewed was R40.2-million per breach.
By: Amy Musgrave