Security and Email Security

How should the security industry innovate against email risks over the next five years?

by Marcus White
Published on 25th Jul 2022

Our research has revealed that 80% of security professionals have experienced increased security threats since shifting to remote work. To stay protected against attacks and reduce the chances of losing significant amounts of money, putting their users at risk, or destroying their reputation, organizations must do more to innovate against email risks. 

In our most recent report, Cybersecurity experts' views on email risk within Microsoft 365, we identify many of the risks Microsoft 365 users face. We spoke with three security experts to gain insights into how the security industry should aim to innovate against email risks in five years' time. 

This article features some key quotes from the report. You'll find insights from Lisa Forte, Co-founder, Red Goat Cyber Security LLP; Robin Bell, CISO, Egress Software Technologies; and Jack Chapman, VP of Threat Intelligence, Egress Software Technologies. 

Our current training methods aren't effective enough

Phishing remains one of the most common security threats for organizations, with 84% of organizations falling victim to successful phishing attacks within the past 12 months. This suggests that something about our current user training methods is failing drastically and leaving organizations vulnerable to attacks. 

One of the key reasons behind this is that many organizations still use ineffective, outdated training methods that their users forget quickly. No matter how many training days we cram into peoples' calendars, we must remember that we are all human and will inevitably make mistakes. These ineffective training methods are typically coupled with over-restrictive security controls that prevent users from working effectively. This can often lead to people searching out risky workarounds to get their work done. 

Lisa Forte suggests that we need to update our training methods to become more effective. "There are many interesting ideas out there – machine learning showing perhaps the most promise. I think we also want to shift away from the 'username and password' authentication practice," she says. 

"I would like to see the security industry look at things in a more scientific way – if click-through user awareness training was working, we wouldn't be seeing breaches, leaks, and ransomware increasing. So, we need to look at the data and try new things to make sure we aren't handing our assets over to attackers on a plate."

We can reduce the burden on IT and security teams through automation 

Most IT and security teams are under an immense amount of pressure. They have a seemingly never-ending list of tasks ranging from innovating existing processes to researching and selecting new technologies. 

Robin Bell suggests that the best way to innovate against email risks is through "More integration across products, enabling easy (low-code) methods of automating tasks to reduce the burden on IT and security teams."

Automating mundane, repetitive tasks can free up time for teams to work on the things that really matter. It also reduces their chances of making mistakes that could jeopardize the organization's security. 

"I'd also like to see more contextual protection for users based on who they communicate with, including developing a deeper understanding across different mediums – SMS, WhatsApp, email," adds Bell. 

Finally, it's time for us to ditch the confusing tech buzzwords

"We need to up our game. We need to be really focused and create smart, innovative technology that proactively mitigates advanced threats and does it in a way that enables and removes frustration for users and administrators," says Jack Chapman. 

One significant source of frustration for both users and administrators that can lead to confusion and cause unnecessary mistakes is the overuse of tech buzzwords. Many buzzwords have become so overused that we're not even sure what they mean anymore: think "big data" or "smart cities." 

If the meaning isn't immediately apparent, or there's a significant chance that your users could misunderstand it, then it's probably best not to use it. "Although a quantum-AI-blockchain zero-trust coffee machine does sound good," Chapman admits. 

Bolstering email security and reducing the chances of falling victim to email threats is a priority for many organizations. Therefore, many choose to augment their Microsoft 365 defenses with additional protection that helps to empower their users. 

You can download our report here to learn more about augmenting your Microsoft 365 defenses and access the full range of insights from the experts