The cause of the Dixons Carphone data breach announced earlier today has not yet been confirmed, but one possible route the attackers could have taken into the company’s systems is via an email attack.
Email is the number one route of attack, otherwise known as a threat vector, and according to a survey published yesterday by Barracuda Networks, email attacks on businesses are rising in frequency. What’s more, their associated costs are climbing sharply.
“Attacks are increasing, there’s no doubt,” Chris Ross, SVP International at Barracuda Networks, tells Verdict. Of those companies surveyed by the company, 73% said they felt email-based attacks were on the rise.
“I think the awareness of attacks is driving that perception and making people realise that it’s real, and that it’s not just news – it’s actually happening, probably to them while they’re thinking about it,” he said.
The human factor in email attacks
One of the key findings was the recognition by businesses of something that cybersecurity companies have known for years: when it comes to security, humans are the weakest link.
“End-users are recognising that the human element is becoming such a big gaping hole for them in their security,” says Ross.
“You can have all the best security solutions in place, but then whether it’s spear phishing attacks, attacking individuals or whether it’s just generally clicking bad links, email is now over 90% of the attack entry points, and still is the biggest threat vector. It hasn’t really changed.
“You can put all the tools in place that you like, but if you or I click on that bad link, you take the whole organisation offline.”
The business cost an email attack or email-linked data breach
Of those surveyed who had been hit by a ransomware attack, 81% said they had followed law enforcement advice by not paying ransoms. However, a fifth of those who responded said they had seen costs associated with all types of email attack rise sharply.
So why are costs increasing so much? The answer lies in the associated loss of productivity.
“You can spend money and invest to block attacks, but that whole downtime that happens after it, whether its email having to be taken offline while things get cleaned up, or whether it’s taking the internet connection down or that they can’t reach data, well that cost to lost productivity is enormous,” Ross explains.
This aspect is often overlooked by companies, particularly when it comes to deciding whether investment in protection is worth the money.
“When most people think about ‘what’s the cost of this attack?’ they don’t always think about that whole offline period while they’re fixing it,” he says.
“If you worked out the cost of actually putting the right kind of solution in place, versus one or two attacks a year and the downtime that comes from that, it probably would have been a savvy investment to actually get fully protected up front, regardless of any other aspect.”
Preventing email attacks and the data breach that follows
While there are a host of software solutions that can help reduce the risk of an email attack and associated data breach, it is important to recognise that no solution can completely remove the chances of it happening.
“Having [tools] in place can help you greatly reduce [the chances of an attack],” he says. “I don’t know if any of us would be brave enough to say that you can completely eradicate it, because you’ve always got the human element.
“That was a big thing that came out of the research, and actually we were quite pleased to see the recognition that actually companies need to invest more to help their employees.”
This investment comes in many forms, but one of the biggest focuses is training.
“It’s important that that’s the approach because we get so many emails today, who really has the time, who really is able to go: is that one real? Or is that one not real?”
As a result of this change in attitude, a number of companies, including Barracuda Networks, are offering employee training services, including mock attacks.
“We have to drive the awareness and education, that’s our job. It’s not always obvious. You think back to a company working: if they haven’t been attacked – if they have been attacked and they look at how that attack happened, then usually it helps the discussion,” he says.
“But it’s like insurance: you don’t really think about it until you need it. So our job, and the job of us as an industry, is to actually drive that message, because if you don’t you’re still so vulnerable.”