Security and Email Security

What should a CISO's priorities be for reducing inbound and outbound email risk in M365?

by Marcus White
Published on 26th Jul 2022

While cybersecurity risks are similar across the board for any IT leader, it's down to each CISO to decide what takes priority. Before doing that, they need to assess the risks and plan accordingly for them. 

Unfortunately, many businesses don't do this. A 2022 UpCity study – the Small Business Cybersecurity Survey Investigations Report – found that only 50% of SMBs have a cybersecurity plan. Thirty percent of those respondents said they plan to create a cybersecurity strategy this year, while the other 20% have no intention of doing so in the near future.

For those who do have a plan, prioritizing actions can feel like something of a minefield. As part of our "Cybersecurity experts' views on email within Microsoft 365" report, we brought together expertise and insights from Lisa Forte (Co-founder of Red Goat Cyber Security LLP), Robin Bell (CISO, Egress Software Technologies, and Jack Chapman (VP of Threat Intelligence, Egress Software Technologies). They discuss their thoughts on what the priorities of CISOs should be when it comes to reducing inbound and outboard email risk in M365.

Staying up-to-date, vigilant, and adaptive

Prioritizing risk reduction, primarily, should center around what risk means to your business. Assessing this is key to knowing where improvements are being made in the future.

"The first and most important step should be understanding the risks they are facing," says Jack Chapman. "We often talk about a 'cookie-cutter' cyber mould for business; however, in an operational sense, this is not effective. It's important to understand the risks your organization faces in order to prioritize the right layers of security across people, technology, and policy. Plus, if you don't understand where you are starting, how can you measure progress?"

At a time when 82% of CISOs believe their organizations are vulnerable to cyberattacks, putting protections in place promptly relies heavily on proper prioritizations.

Doubling down on your security to reduce the risk

For Robin Bell, it's about balancing the benefits of M365 with your business's own specific risk concerns. "Understand the limits of the Microsoft 365 product, then identify products that complement and seamlessly integrate with it to manage and reduce those risks."

Reacting to cybersecurity events isn't enough – organizations need to be proactive, which requires a deep understanding of where your risks lie to put the right protections in place. 

Training and tools

An unavoidable part of outbound email risk is human error. Some human error issues are skill-based, where negligence is the cause. And some are decision-based, whereby a wrong or even malicious choice is made. Regardless of the type of error, they can all be avoided with the proper training and tools.

"Focus on the 'human activated risks,'" says Lisa Forte. "We want to see layers of security starting with training our employees in a more engaging way than we currently are. We need to reinforce this training and back it up with more intelligent email security tools to catch the moments when someone makes a mistake. The key to success is that, ultimately, any tool or service you deploy has to be user-friendly and frictionless. Otherwise, corners get cut, and you are back to the start!"

Lack of training can cause serious issues, from sharing sensitive information with people who shouldn't receive it to data leaks that put entire organizations at risk. This year, the cruise line operator, Carnival, was slapped with $5 million in fines due to security violations. It was criticized particularly heavily for not implementing multi-factor authentication and not training staff in cybersecurity matters. 

The key takeaways are that it's down to each organization to decide what's right for them in terms of IT prioritization regarding inbound and outbound email risk in M365 and train their teams accordingly. As Rachel Wilson, Head of Cybersecurity at Morgan Stanley, said in the recent "Impacts of insider data breaches" webinar at Human Layer Security Global, "The onus is on security leaders to give people the right tools to do their jobs and prevent them from causing breaches."