Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 3 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Employees – the weakest link in email security?

How the careless handling of emails jeopardises company security

by The Gurus
November 26, 2019
in Featured
BEC scams
Share on FacebookShare on Twitter

Email is not only one of the most important channels of communication in day-to-day business, but unfortunately also one of the biggest gateways for cyber attacks. According to the safety and network specialists Barracuda Networks, 91% of all attacks start with an email. Gateway solutions such as Barracuda Essentials therefore represent an important first line of defence against the dangers posed by malicious emails. Not only do such solutions reliably recognise spam and phishing emails, they also provide protection against sophisticated attacks like zero-day attacks in which cyber criminals exploit unpatched security flaws in firmware and software in order to release malware or steal data.

Thanks to the use of cutting-edge techniques such as sandboxing and artificial intelligence, it is becoming increasingly difficult for cybercriminals to overcome these defence systems. They are, therefore, increasingly mounting targeted attacks on workers by sending personal messages tailored to the recipient. Such emails are often not recognised as spam or phishing attempts by the defence systems, and these messages are therefore able to thwart the shield settings in place.

Unfortunately, this method has a high rate of success – in the hectic rush of day-to-day work, the recipient opens the attachment, clicks on the links it contains or carries out instructions that appear to come from the boss, without carefully checking the legitimacy of the message or consulting in-house security experts. According to a worldwide survey carried out by B2B International on behalf of Kapersky Lab, 46% of all IT security incidents can be traced back to such misconduct by employees. The market research company Osterman Research records similarly alarming results: of the companies surveyed by Osterman, (34%) had been victims of successful email phishing attacks, 17% had seen sensitive or confidential data accidentally or maliciously forwarded by email, 14% reported successful spear phishing attacks on managers and 11% had been affected by CEO fraud (you can find out more about spear phishing and CEO fraud in this article).

The significance of the human factor in IT security has also been clear to managers for a long time. According to the study ‘The email threat: the main concerns of EMEA IT stakeholders and the importance of staff training’, which was published by Barracuda Networks, 79% of the technicians and managers asked believe that improper employee behaviour is a bigger threat to email security than inadequate or incorrectly configured technical equipment. The survey participants see departments such as finance, sales and marketing and customer support as particularly vulnerable, because these staff members have access to particularly sensitive information and systems.

Awareness training – a good investment in IT security

It is therefore clear to most of the managers surveyed that any improvement to IT security must involve staff. Eighty-nine percent (89%) think training programmes are ‘very important’ (54%) or even ‘extremely important’ (35%). The following principle options are available to increase staff awareness:

– Face-to-face training. This traditional method of instruction allows a direct exchange between trainers and participants. The security specialist giving the session can individually respond to employees’ questions and fill their specific knowledge gaps. Theoretical training should be supplemented with live hacking demonstrations in which trainers show on the ground how easily technical security measures can be overcome by misconduct. Face-to-face training is, however, expensive and time-consuming. In addition to the expense of hiring training personnel, productivity losses of the participants are also incurred, and sometimes travel costs. Moreover, it is only worth conducting training sessions of this kind with a small number of participants, and they must therefore be performed several times. Because of the large amount of effort and the costs involved, the intervals between training cycles are usually long. In the meantime, however, the lessons learnt fade from memory and the danger of misconduct and carelessness rises again.

– Simulated attacks. Unannounced simulation tests consisting of common attack scenarios can not only increase employees’ awareness of existing cyber threats, but also provide those responsible for IT security with a good overview of the current status of staff security. This enables specialists to develop further targeted measures and to directly address those people who exhibit particularly risky or reckless behaviour.

– Computer-based training (CBT). In this variation, the staff member individually undertakes training on their PC at a time that suits them. Training modules can build on one another and must be completed at regular intervals. This method ensures that the security awareness of employees always remains at a high level and responds to new developments. Such training sessions are particularly effective if the example attacks are tailored to the day-to-day workings of the specific department and position of the staff member.

An example of a solution that can be used for both simulated attacks and computer-based training is ‘Barracuda PhishLine’. It offers numerous simulations and training topics that can be individually adapted to the job profile of a staff member and the threat situation in the company. In addition to planned regular training sessions, spontaneous actions are also an option, for example in order to provide targeted training to a worker who was uncertain in a simulation test or exhibits a specific risk profile. The integrated phish-reporting button enables staff members to report suspicious emails to IT security officers.

Summary

Technical measures such as spam filters and email gateways are necessary and useful tools to protect companies from dangerous emails. However, they fall far short of what is needed. In fact, the greatest risk facing email security is the misconduct of staff members. This is responsible for a large proportion of all security incidents and successful attacks. Companies should therefore invest more in training their employees, not only to increase understanding of the risks at hand, but also to coach staff in how to respond correctly in the event of suspicious-looking messages. Face-to-face training sessions are not entirely suitable for this. They cost a great deal of time and money and are therefore usually only undertaken infrequently. Computer-based training modules, which must be completed at regular intervals, are a better and more efficient option. It is best if these are combined with unannounced simulated attacks using test phishing emails. In this way, staff awareness of the dangers of email communication will be improved in a sustainable, long-term and efficient way.

– Written by Chris Ross, SVP International at Barracuda Networks

Chris Ross

Share5Tweet
Previous Post

Bug Grants Facebook Access to iPhone cameras

Next Post

Majority of U.S. adults believe their personal information is already in cybercriminal hands

Recent News

AI Appreciation Day: Celebrating Progress, Embracing Responsibility

The industries being reimagined by AI

July 2, 2026
geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026
Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

July 1, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol