EXPERT
OPINION
Cybercriminals are increasingly using
compromised credentials to access
email accounts, sensitive information
and corporate systems.
Proofpoint research found that account
compromise was in fact the leading
method of cyberattack in the UAE in
2019, impacting 28% of companies,
followed by credential phishing (20%)
and insider threats (17%). Phishing and
impersonation attacks/Business Email
Compromise (BEC) attacks accounted
for 15% each among the organisations
targeted last year.
In line with this, email fraud via Business
Email Compromise (BEC), in which
an attacker gains access to an email
account and spoofs its owner, is on
the rise globally – and is now being
described as one of the most expensive
threats on the cyber landscape. In fact,
the latest FBI report estimates total
worldwide losses as a result of BEC at
US$1.7 billion in 2019.
Evidently, the threat outlook is fast
evolving and we will continue to witness
cybercriminals trying to gain foothold
and steal sensitive information via emailborne
attacks.
How important is human
behaviour in preventing
these types of attacks?
Cybercriminals are increasingly targeting
people rather than infrastructure. In
fact, 99% of cyberattacks require human
interaction to be successful.
CISOs and CSOs in the UAE
recognise this human risk to their
organisations, with 39% believing that
their employees make their business
vulnerable to a cyberattack.
Common security errors made by
employees, according to CSOs and
CISOs, include poor password hygiene
(29%), mishandling sensitive information
(25%), falling for phishing attacks (24%)
and clicking on malicious links (20%).
Employee
education and
security awareness
is often the
difference between
an attempted
cyberattack and a
successful one.
Interestingly, 19% cited criminal
insider threats as a growing concern
for businesses.
Despite facing a fast-evolving threat
landscape, 75% of CISOs and CSOs
in the UAE admitted to training their
employees on cybersecurity best
practices as little as twice a year or less.
Meanwhile, only 23% of organisations in
the UAE train their employees more than
three times a year.
Organisations must ensure that their
employees are equipped with the
knowledge and the tools to defend
against all manner of threats. Employees
at all levels must understand how
simple behaviours – password reuse
and mishandling of data – can have
significant, far-reaching consequences.
In order to do that, companies need to
ensure they deploy regular and effective
security awareness training to educate
employees about best practices as well
as establish a people-centric strategy to
defend against threat actors’ unwavering
focus on compromising end-users.
What should a robust email
security strategy look like?
The best email security strategies foster
a combination of technology and people.
With the constant uptick in phishing
attacks, it’s vital that businesses invest
42 Issue 29 | www.intelligentciso.com