Leading the Charge: HR Managers and Employee Email Security
This article was updated on September 3, 2018.
Employee email security remains a huge challenge for organizations. According to Verizon, 30 percent of phishing emails are opened and more than 10 percent of employees follow malicious links. The result? A new area of impact has emerged for HR leaders. Here's a look at how HR professionals can help lead the charge in keeping corporate email secure.
Success and the Storm
Email scammers continue to enjoy marked success. As noted by CSO, an email scam in 2016 fooled 108 employees of Los Angeles County, in turn putting the data of more than 756,000 citizens at risk. While the government agency has been tight-lipped on the attack details, information ranging from first and last names, dates of birth, Social Security numbers, banking information and medical records were all compromised.
Bleeping Computer, meanwhile, notes that email attacks are changing as security organizations design new response techniques. Consider the use of "snowshoe spam" attacks, which see different IP addresses each sending just a few emails over a period of weeks or months to create a kind of sustained traffic effort that seems virtually identical to regular corporate traffic. Information security (infosec) tools have now determined the hallmarks of these snowshoers, prompting the development of "hailstorm" attacks that send a huge volume of emails in a very short time — for comparison, a recent snowshoe attack produced 35 domain name system queries per hour while a hailstorm produced 75,000. Some attacks happen so quickly that they're over just as standard detection methods register something is wrong.
Defending the Network
So what does this mean for organizations looking to cut down on email risks? That attackers aren't resting on their laurels but instead looking for new ways to convince employees that they should open malicious mail and follow compromised links. It's not entirely hopeless, however. Dark Reading points to the critical role of "human firewalls," or staff who have the proper tools and training to detect and avoid spam campaigns. Since email can't (yet) open itself on employee devices, this is the most effective way to reduce the chance of network compromise.
And it all starts with HR. While IT gets the burden of dealing with post-breach cleanup and explaining to the C-suite why more infosec investment is necessary, tech experts may not be the ideal candidates to educate employees. Think about it like this: They're instrumental in setting up the right tools, such as Transport Layer Security (TLS) and Domain-Based Message Authentication, Reporting and Conference (DMARC), while HR professionals excel at the human side of technology interaction.
Consider this scenario — Employees with multiple projects on their plate often handle huge volumes of email each day. As a result, phishing emails and malicious attachments may slip through despite good intentions and best efforts. HR experts are the ideal choice to design people-friendly training plans, which help staff recognize potential email scams and report any accidental opening or downloading that may lead to network compromise. This last step is an especially critical role for HR.
Employees who are given a clear, safe path to email issue reporting can help catch cybercriminals in the act. Staff told they're on the hook for even minor missteps, meanwhile, may hold back critical information and put networks at risk. The right HR plan can both empower employees and reduce total email risk.
The HR Game Plan
Addressing the email issue is best served by a trio of efforts from HR managers.
1. Awareness Training
Scammers are looking for the fastest route from message to malicious action. As a result, attack emails often contain notoriously poor grammar or demand that employees act immediately. By educating employees about typical phishing "tells" and assuring them that they won't be punished for seeking confirmation or asking questions, even if the email appears legitimate, managers can significantly reduce the number of opened emails.
2. Interactive Learning
Think online quizzes and webcasts. Sure, this should be mandatory but that doesn't mean it can't be engaging. Ideally, HR leaders need to draw parallels between personal and corporate privacy and help staff develop the ability to recognize fraudulent messaging on their own.
3. Monitor compliance
By identifying and tracking key metrics, such as the number of incidents reported and visits to unapproved sites, HR teams can determine which employees haven't taken the training to heart. HR is also in the ideal position to address these issues through conversation and remediation rather than punitive measures. This has the dual benefit of improving employee trust while also making it clear that any actions taken on corporate networks are closely monitored.
Email scams remain a popular way for hackers to gain quick network access or infect target devices. Improving employee email security means developing a human firewall backed by solid metrics and led by HR leaders who can effectively communicate the scope and severity of email issues while simultaneously offering actionable solutions.