Email Security is the primary vector of attack for cyber-criminals; in short this means if you want cost-effective security, invest early in Email Security and Endpoint Security.
When a cyber-criminal sends a Phishing email to you we highly recommend having a reporting process and tool ready to help you combat it. This can be through the NCSC’s reporting service or within your vendor’s systems. Often Phishing is used to validate information and identify people who are vulnerable to an attack of this sort.
Spear-Phishing is more targeted, it is in fact much more targeted and often made to look like it is from a trusted colleague or supplier, or an authority figure such as a Director or public body. It often will be the source of a breach or a malware attack.
Email Servers are often the most vulnerable systems in a business because they, like Web Servers, are publicly-facing. Early investment in patch-management is incredibly important so that when new CVEs are found they can be routinely remediated.
How much does it cost to suffer an email breach?
Aside from the reputational cost of a successful cyber-attack which is significant but hard to quantify, it thought that globally Business Email Compromise costs just shy of two billion U.S. dollars a year. It is nearly impossible to prevent the leak of data once it is made available in criminal information-exchanges: prevention is the best medicine.
Increasingly regulatory bodies such as the ICO will fine an organisation that has not taken reasonable care in order to protect the information of their staff, suppliers and customers. This is especially pertinent to medical, financial, legal and children’s data.
While affordability is a key concern for any business, it is simply the case that the ICO is well-aware that small investments in Email and Endpoint security can have significant positive returns. Patching in itself can prevent a significant number of attacks.
For any organisation that handles digital information, affordability does not preclude protection of the data you collect. This is doubly so for businesses based in the UK because the ICO and NCSC have a vast array of information to-hand in order to assist organisations of all sizes implement best-practice.