Connect with us

Hi, what are you looking for?


Email Security

Leveraging People in the Email Security Battle

Email Security Competition Heats Up

A combination of humans and technology is needed to truly move the needle on email security

Email Security Competition Heats Up

A combination of humans and technology is needed to truly move the needle on email security

Understanding the email threat landscape – what is emerging, who the threat actors are, what the latest tradecraft is, and the most commonly deployed attack techniques effectively circumventing legacy email security technologies – is critical for an organization to protect themselves. Every email that bypasses vendor email security technologies and lands in the inbox of employees of organizations is a potential for significant compromise or loss of data. 

The leading method for compromising someone is credential harvesting, and it is also the leading initial attack vector into an enterprise as it does not entail getting malware to the inbox – creating a blind spot for most Secure Email Gateways (SEGs). There is no way around it: the vast majority of companies will be attacked through credential phishing and the SEG is simply not in a position to fully protect you. Luckily, your employees are human, and humans are exceedingly good at recognizing patterns. 


Your company is indeed unique. You have ‘x’ employees, exist in ‘y’ vertical, operate using ‘z’ email provider, etc. All these variables do make you different. What is not different is that your company is made up of people who are both vulnerable and able to be trained to report suspicious emails, and your SEG has shortcomings that are exploited everyday by nation-state actors and cybercriminals. 

These truths are the foundations for a few key principles: 1) People must be encouraged to report things they feel are suspicious, and 2) Leveraging the power of the collective human ecosystem for detection, along with strategically applied technology solutions to scale response and remediation is how you deal with a continually changing threat landscape. 

Technology doesn’t work in isolation; the SEGs inability to block emerging threats, are a great example of this. However, when you leverage human knowledge to create a feedback loop with appropriate technology in the fastest and most actionable way, you can create a crowd-sourced, self-healing email ecosystem that can position your company to be ahead of the threats that make it through the SEG. 

Advertisement. Scroll to continue reading.


The number of blocked malicious emails isn’t a true measure of success in the land of email security, but rather how the ones that went by the front-line controls are rapidly detected and prevented from turning into a data breach. It is the threat bypass rate that matters – the threats that bypass SEGS that SEG vendors don’t share. 

[ ReadThe Race to Find Profits in Securing Email

From a business perspective, this makes perfect sense: SEG vendors don’t have a vested interest in sharing what they missed. They don’t have visibility into what they missed, and though they do seek to improve their filtering, they don’t have a vested interest in highlighting how long it might take them to update their technology to improve that filtering. Security teams know this, and are often resigned to acknowledging some percentage of bad will get in. 

No security solution is perfect. If it were, there would not be a multi-billion-dollar criminal industry hammering away at companies. However, the application of detection and response technology can turn the tables on the risk-reward equation for an adversary. This is evident in the expansion of tools that provide detection and response capabilities, such as MDR, EDR, XDR, PDR, etc.


A combination of humans and technology is needed to truly move the needle on email security; leveraging humans for detection makes it hard for the attackers to predict whether or not their malicious emails will be identified and using technology to automate response provides scale and speed in resolution. As soon as a SOC can part with the mantra ‘the human is the weakest link’, they can begin to see this for themselves. 

For the Security Awareness Manager, simulating threats that are as close to real is critical. The threats you simulate must be relevant to the circumstances of the time, the demographics and regions, as well as the industry, scale and other external factors that influence your business and your employees. Thus, security awareness managers and SOC operators should work in unison to devise simulations that closely mimic the latest threats targeting your organization. 

There is a full range of philosophies around how to simulate email attacks, and how to deal with employees that fail tests. Punitive programs that admonish employees who repeatedly fall prey to phishing simulations, though tempting, creates significant drops in reporting by the employees and creates an environment of mistrust between corporate security teams and the rest of employee base; this is obviously counter-productive. I don’t recommend a three-strikes-you’re-out policy, and adamantly reject any policy that punishes employees for reporting emails that turn out to be benign. Positively reinforcing employees that accurately identify malicious emails and gently guiding those that may have reported innocuous ones fosters an environment of trust and learning, hence yielding the best outcomes. 

Awareness teams should steer clear of hinging their programs on ‘click rates’ but rather focus on resilience as measured by the ratio of employees accurately reporting simulated attacks to those falling victim. Employees hate having their time wasted. Whenever the employee’s time is not respected, engagement drops, results drop, and phishing response doesn’t improve. However, when an employee is trained on threats that are known to bypass the technology stack you employ, and you share the knowledge that simulations are intended to be tricky, but represent a real threat, you can position your employees to be your biggest asset. 

It is through the combination of harboring the wisdom of the collective, with the wisdom of your specific employees and responding to that wisdom promptly and efficiently through the application of technology that you will stay ahead of email threats. 

ReadThe Race to Find Profits in Securing Email

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...