IT research analysts, technology writers and vendors regularly cite their “top issues” facing IT professionals. But what are the most prevalent issues that IT professionals themselves say keep them up at night? After all, we’re the ones on the frontlines of day-to-day IT operations.
In an IT security survey that US Signal conducted earlier this year, respondents noted that one of their top three challenges was protecting against email threats. That’s not surprising given the extensive list of email-based attacks many companies (including mine) have been enduring, such as phishing, spear phishing, whaling, business email compromise (BEC), CEO-to-CFO scamming and email impersonation.
But just how big of a deal are email threats, and what are IT professionals doing about them? I can give you a firsthand perspective from my experience as CIO with Christian Brothers Services, a nonprofit that administers a variety of benefits programs to church organizations in the U.S.
Education vs. Email Threats
Email security threats do pose a significant problem for our company. In fact, phishing and spear phishing attacks occur every day. But those attacks only succeed if our own employees fall victim and don’t recognize the emails as suspicious from the start.
We are only as strong as our weakest link, and unfortunately, we know that people are usually the weakest link in any equation when it comes to machines. We can protect the company from 999 attacks out of 1,000. However, the ‘bad guy’ only needs to get one person to click on a URL or file attachment in an email to win.
Nonetheless, we are seeing growing success in our IT security efforts. A few years ago, we revamped our entire computer security awareness program to get in front of employees at least three to five days a week with news, education and useful information. Security is not a baked-in topic for all employees yet, so we’re trying to keep it consistently top of mind.
Much of our focus is on moving employee ‘awareness’ to ‘behavioral change’ over time. Our educational initiatives include conducting our own phishing and spear phishing tests with our employees every month. They’re designed to be educational and informative, rather than punitive.
Behind-the-scenes Security Efforts
Overall, my team is trying to help employees by fending off threats as much as possible through implementing safeguards where prudent, appropriate and reasonable. We hope that other nonprofits and organizations can use some of these suggestions themselves.
For example, in addition to educational resources, we remove spam and junk messages before they even hit an employee’s inbox. All messages from the outside are labeled with [EXTERNAL] in the subject line.
We validate every single inbound URL in an email message, stripping away known harmful URLs and file attachment types like .EXE files that can execute malware code. We provide a secure message center for our employees to encrypt outbound messages. Plus, we automatically encrypt all messages found to contain sensitive information or a large amount of data.
While our IT team’s efforts aren’t stopping email threats entirely, they are making a noticeable difference.
It can be difficult to see the forest for the trees, but I think if we stopped doing all of these things, people would react. They’d become less efficient, less effective and less productive, and our IT security risks would increase to the point where the business itself was at risk.
Bolster Your IT Security
If your nonprofit or company doesn’t have a sizeable IT security budget or staff, teaming with an IT solution provider, such as US Signal, is an ideal supplement. Providers like this can offer you recommendations on technologies needed to minimize your security risk profile and even help you manage them, so you can focus on educating your employees and keeping your business or nonprofit up and running seamlessly.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.