Organizations That Prioritize Cybersecurity Awareness Training See High Rates Of Employee-Reported Emails, Decreasing The Likelihood Of Email Threats Entering The Organization And Simultaneously Creating A Burden On IT Security Staff.
Key Points:
- Employee reports of suspicious emails can be a distraction to IT and security staff, while infrequent cyber awareness training causes low employee reporting engagement.
- Yet, there are few trained dedicated email analysts, and few organizations analyze all reported emails.
- Automated analysis and triage of suspicious emails greatly reduces IT and security staff workload while providing more timely and effective response email phishing and other cyberattacks.
An Osterman Research paper, Assessing Organizational Readiness to Deal with Increased Employee Cyber Awareness, examines the effectiveness of cybersecurity awareness training and how email is evaluated as potentially suspicious, both by employees and IT security staff. Three hundred cybersecurity professionals in the United States and the United Kingdom at organizations with at least 1500 employees were surveyed.
The central finding of the research: email security is more essential than ever, given email’s long-standing position as the dominant threat vector. Yet, few organizations have high confidence in both the available tools as well as employees’ awareness and ability to effectively assess and report malicious email messages. Organizations that employ automated email incident response system combined with employee cybersecurity awareness training have proven better at identifying and preventing malicious email attacks, with the added benefit of reducing the administrative burden on IT and security staffs.
Let’s take a look at some of the key findings:
- Email remains the dominant threat vector.
In Mimecast’s State of Email Security 2021, 58 percent of surveyed companies saw an increase in phishing attacks. And 60 percent were hit by an attack spread from an infected employee to other employees. In addition, according to the FBI, business email compromise attacks have decreased in volume, but have become more expensive with higher overall costs.
- Employee Engagement — When It’s Not a Good Thing
Increasing employee cyber awareness to report suspicious email is an important first layer of protection against email threats. However, the downside is that more than half of IT and security staff surveyed in the Osterman white paper felt employee reports of suspect emails are more a diversion than a help. That’s because it takes time for human analysts to sort through employee-reported emails, 90 percent of which typically prove benign.
Indeed, among those who characterized employee reports of suspicious emails as a diversion, the vast majority (87%) relied on human analysts or human intervention to investigate these reports, as opposed to automation tools to analyze, triage, and prioritize potential threats. Only 1% of respondents who outsourced the review of employee-reported emails felt this task was a burden or a diversion from key responsibilities.
- Employee Engagement — When It’s a Good Thing
Most security organizations seek to increase user awareness of malicious emails in two ways:
- Warning banners on unsolicited emails from outside the organization and other potentially suspicious content.
- More than half of surveyed organizations (56%) provide cybersecurity awareness training monthly. The remaining do so on a quarterly or less basis, while only 15 percent train once a year or less.
Particularly noteworthy are the 16 percent of respondents who underwent daily training. This constituted anything from an email on some aspect of cybersecurity, a warning poster in an elevator, or a pull-up display reminding employees not to leave USB sticks unattended on their desks.
The cybersecurity awareness training has proven effective: Eighty percent of respondents reported a direct correlation between training and an increase in user-reported emails. For organizations offering cybersecurity awareness training on a daily, weekly, or monthly basis, the rate of increase was greatest, with three-quarters (74%) indicating a rate of increase between three and ten or more times.
- Making Reporting Easy for Employees
Most organizations make it easy for employees to report messages, either with a button in the email client to click (34%) or a link in an email message to click (23%) to report suspicion. The latter is considered preferable to forwarding a message to an abuse mailbox, which requires at least the extra step of locating and entering or selecting an email address. In addition, forwarding a message to an abuse mailbox usually requires a human analyst to review and remediate the suspicious message. Again, however, reliance on human analysts to evaluate reports of possible malicious emails is a burden to IT security staff.
- Suspicious Email Reporting Accuracy Varies
At most organizations, almost half of employee-reported suspected email messages prove benign, which reinforces the problem of overtaxing IT security staff in determining email threats. What’s more, few organizations employ dedicated email analysts with sufficient professional training and tooling in threat identification and mitigation for email-borne threats, making it all the more difficult to provide adequate identification of potential malicious attacks.
Only 11 percent of surveyed organizations use software to automatically triage email messages reported as suspicious and remove these messages from mailboxes. Almost one-third of organizations rely completely on human analysts; in the wake of well-documented cybersecurity skills shortages, their time is almost certainly better spent elsewhere.
Three-fifths of organizations use some combination of automation plus human review. Without human intervention to make a definitive decision, remediating a suspicious email can result in false positives. Few security teams can afford to waste time on a mounting number of false positives, and even with technology solutions to address the problem of persistent false positives, it takes time to roll these out and maintain accuracy.
For benign email messages, 70 percent of organizations are able to analyze each email and close the incident in less than 10 minutes. For malicious email messages, it takes longer, up to 60 minutes per message.
- Most Organizations Do Not Analyze All Reported Email
Only about a quarter of surveyed organizations analyze all of emails reported as suspicious. Nor did it seem to make a difference whether the organization relied primarily on human analysts or some degree of automation. However, organizations solely relying on human analysis may be more prone to allow malicious email to slip through; automation has a greater ability to use similarity analysis to rule out variations.
Particularly interesting is that organizations that reviewed all reported emails receive almost three times as many reports. Again, this increases IT and security staff workloads. At the same time, these actions have some value: if employees don’t receive feedback on all their reporting and consequently feel their actions are ignored or underutilized, reporting levels tend to drop, which can create a greater likelihood of malicious emails entering IT environments.
The Bottom Line
Effective cybersecurity awareness employee training helps defend against malicious emails; however, too much reliance on employee reporting and human analysis strains resource time and attention. Automated email analysis lowers dwell time and reduces the burden on IT and security staff, accelerating incident response and improving overall email security.
