Here’s how to build a cyber resilient organisation

You recently issued your State of Email Security 2022 report. Can you take us through the various steps in this report?
This year marked the release of our sixth annual State of Email Security 2022 report, a global survey of IT decision-makers that seeks to shed light on three important elements – firstly, the cybersecurity challenges IT decision-makers continue to face, such as phishing and ransomware; second, the gains in cyber resilience that come as a result of new technology implementations; and third, external forces, such as budget increases or government mandates, that are impacting their businesses. The survey is conducted in twelve countries and includes input from 1400 IT and cybersecurity professionals.

At a global level, our report found that the cyberthreat landscape is dire, with nearly three in four respondents reporting that the level of email-related cyberthreats continue to rise, and the majority saying such attacks are becoming increasingly sophisticated. Other key global findings include that nearly every company surveyed had been the target of a phishing attack, and that three in four companies had suffered a ransomware attack, leaving nearly half (48 per cent) out of business for a week or more.

How do you see the threat landscape in the Middle East, specifically UAE and Saudi Arabia?
Our data found that, while there is concern over email security, it’s not all bad news for the region. 84 per cent of UAE respondents expect to suffer a negative business impact from an attack in 2022, and 92 per cent of Saudi Arabian organisations report the same, with 14 per cent saying it’s inevitable.

In the UAE, 94 per cent of organisations have been the target of email-related phishing attacks, but 30 per cent report a decrease in the volume of such attacks, with 20 per cent noting it is a ‘significant’ decrease. Other attack types, including business email compromise, spoofed emails, and internal threats or data leaks initiated by malicious insiders also saw decreases in volume over the past year.

Furthermore, 46 per cent of organisations in UAE and 44 per cent in Saudi Arabia provide ongoing cybersecurity awareness training, well ahead of a global average of 23 per cent. And nearly all organisations in the region either have or are in the process of planning or implementing a cyber resilience strategy.

While 60 per cent of companies in Saudi Arabia and 76 per cent of UAE organisations were hit by a ransomware attack, the region is setting an example with an average downtime of only five days in Saudi Arabia and 5.8 days in UAE, compared to a global average of over a week.

And despite email usage increasing at eight out of ten companies in Saudi Arabia, only 38 per cent were concerned over increasingly sophisticated attacks, and less than a third were concerned about insufficient security budget. Meanwhile, 38 per cent of respondents from Saudi Arabia also expect incoming government mandates to bring overall improvements in cybersecurity, further bolstering the country’s resilience against cyberattacks.

Zero Trust being a buzzword of all time, what is your take on this approach?
Zero trust is a network security approach based on the concept of ‘never trust, always verify’. When applied more broadly, employees can use it to inform almost every security question. Business conversations about zero trust generally focus on technical details such as identity management and network micro-segmentation, but this ignores the vital element of human beings. If employees click on malicious links even when told not to, or overshare personal and professional details on social media – thereby equipping threat actors with valuable data for social engineering – a zero trust approach won’t deliver the secure environment all organisations seek.

Zero trust is particularly effective against insider threats as these often involve employees making careless mistakes, which a zero trust approach would help prevent and mitigate. In fact, all the money invested in zero trust architectures will be wasted if employees don’t also adopt a zero trust approach in their personal and professional lives. However, it is only one part of a layered security strategy that seeks to build defence in depth. Adding a zero trust layer to an organisation’s cyber resilience strategy can help protect users from malicious links in emails and attachments, but there is no substitute for regular, ongoing and effective cyber awareness training to help build safe and healthy cyber habits throughout the organisation.

What are some of the email security trends to look out for in 2022?
Firstly, social media and past breaches may come back to haunt us this year. After years of high-volume breaches combined with employees sharing excessively via social media, the trove of personal information and intelligence available to attackers is extraordinary and beyond disturbing.

Our CEO, Peter Bauer, predicts that this will enable adversaries to craft even more convincing attacks, aggressively targeting the human layer and resulting in significant business disruption and a corrosion of trust. In addition, the growing importance of business productivity suites, email and cloud communication services will continue to provide attackers with optimal channels to target their victims, demanding new strategies and tools from organisations and their security teams.

The pandemic will also continue to change the cybersecurity game. Following two years of rapid digital transformation in response to pandemic-related challenges, and the switch to hybrid work models, companies’ attack surface has increased and with it exposed security vulnerabilities many companies didn’t even know existed.

The efficacy of cybersecurity policies will come into sharp focus in the year ahead. Mass digitisation has resulted in a digital equivalent for most business components, but the risk mitigation that is so established in physical business processes are not yet evident in their digital twins. A report Bridging the Divide: Digital Transformation & Cybersecurity in Saudi Arabia and the UAE, released in 2021, found that more than two-thirds of organisations in the region have had to postpone a digital transformation initiative due to cybersecurity concerns, with 65 per cent reporting they have cancelled such an initiative outright. Alarmingly, the same report found that 76 per cent of organisations in the region are taking a reactive rather than proactive approach to security. Cybersecurity teams will need to close that gap in 2022 to keep their businesses and users safe.

Ransomware will continue to damage and disrupt businesses. Our State of Ransomware Readiness research found that eight out of ten global organisations suffered a ransomware attack in the past two years, with more than a third opting to pay the ransom. And with the rise of ransomware-as-a-service, more threat actors than ever before are potentially being armed with dangerous cyberattack tools that could cause disruption and economic damage.

What measures do you think employees and organisations can take to build greater cyber resilience?
In addition to a layered security strategy, cyber awareness training is one of the most effective ways of strengthening an organisation’s overall cyber resilience and should be a top priority for business leaders in the region.

Encouragingly, 46 per cent of UAE companies, and 44 per cent of Saudi Arabian ones, provide ongoing cyber awareness training, twice the global average of 23 per cent. And these efforts are paying off: only 66 per cent of UAE respondents were concerned about employees oversharing company information on social media, far below the global average of 81 per cent, while more than one in ten believed there was no risk at all to employees using personal email.

In Saudi Arabia, the use of cyber awareness training appears to be translating into some positive behaviour: only two-thirds of organisations said they were concerned over employees using personal email against a global average of 81 per cent, while 60 per cent admitted to being worried that employees overshare company information on social media, compared to 80 per cent of organisations globally.

Read: Cybersecurity attack: It all begins with an email, says Mimecast