Robin Bell, CISO at Egress, provides insight into the essential components of robust email security strategies.
It’s estimated that individuals make 35,000 decisions every day according to psychologists, or one decision every two seconds. That’s not to say that each decision has a big impact, most are small and often instinctive like taking a sip of coffee, turning the work laptop on, or clicking a hyperlink in a seemingly normal email.
Email really is the backbone of business communication as an instinctive tool for all employees. Despite COVID-19 driving the adoption of messaging apps and video conferencing, four out of five employees say email is their preferred way to communicate, but ease of use comes with risk.
Phishing attacks are increasingly sophisticated, and although they’re not necessarily more prevalent, these advanced threats are getting through traditional defenses, so it feels like the overall volume has increased.
So, how do you tackle advanced cyberattacks whilst reducing friction and maintaining (or improving) productivity?
The impact of heuristics on email security
Heuristics are the rule of thumb or mental shortcuts which help simplify decision-making. There are several techniques which are known to influence email security:
- Authority Bias – Believing the information has been verified fully by an organisation or individual with formal authority.
- Availability – Assessing how likely an event will occur or how often it occurs based on how easily the event can be recalled.
- Halo Effect – A quick judgement, usually based on a recent experience, a single characteristic or a first impression.
- Hyperbolic Discounting – Choosing immediate rewards over future gratification.
- Representativeness – Judging how likely something belongs to a category based on similarities with members in the category already.
It’s well-known that cybercriminals utilize heuristics, especially in phishing attacks, relying on a slip-up of an unsuspecting employee. Authority bias is essential to CEO fraud, hyperbolic discounting in fraudulent flash discounts with tight timeframes, the halo effect in brand impersonations with previously legitimate correspondences.
Outbound data loss via email also often harbors heuristic techniques. The sender may assume they won’t make an error when sharing sensitive information because they never have before.
Applying nudge theory
Nudge theory focuses on shaping the environment to promote certain outcomes by influencing decision making. In email security, nudge theory can have multiple applications, combining intervening when the risk appears with clear explanations which ultimately increase the individual’s understanding.
Traditional email security solutions tend to offer quarantine for admins to sift through and static prompts to prevent incidents. But if users are alerted to treat all external emails with caution, their heuristics will apply to all. ‘Availability’ will come into play if the individual is rarely targeted with phishing attacks, as they’ll be more likely to assume the email is legitimate like it seemingly always is. Or a business email compromise attack, which imitates a legitimate request extremely well, could see the recipient put it in the same category automatically, as that’s what they do with all requests of that nature.
Outbound isn’t safe either. Generic pop-ups lead to click-fatigue and continuing past a prompt easily sinks into routine. As these tend to be unspecified messages, the user won’t be informed whether the prompt occurred because of lack of knowledge, incorrect rules, or lapses of memory. In fact, they won’t normally recognise a mistake has been made!
Nudges are essential, but they must be informative, relevant, timely and distinctive to have an impact.
Using AI to deliver nudge theory within Microsoft 365
For nudge theory to work effectively in email security, software utilising AI and Machine Learning must be contemplated, and regular reviews of your current cybersecurity software is crucial. For the gold standard, there are a few features IT security decision makers should consider. Firstly, for inbound threats, threats can be neutralised and delivered to the inbox with dynamic banners that explain the risk to the end-user. Banners need to be explained in non-technical language to avoid alienating the individual and discouraging continued learning, plus colour-coding these to indicate levels of risk can make a real difference.
In a recent report analysing people’s ability to accurately identify phishing emails, a vast increase was seen as nudge theory and real-time teachable moments takes effect, with one organisation seeing a 475% increase in phishing emails caught after six months of nudge banners being deployed.
Fundamentally, teaching someone to catch a phish is more sustainable for long-term resilience.
With outbound email security, which is often overlooked, real-time prompts need only appear when a risk is detected rather than for each and every message sent. Click fatigue, banner fatigue, call it what you’d like – prompts need to be specific and provide a clear explanation, so it grabs the user’s attention, so be sure to ask for an in-depth demo when weighing up your cybersecurity options.
Nudges ensure that organisations and their users adopt healthier behaviors and are better prepared for future threats. It’s crucial to adopt intelligent products that deeply understand risks, develop positive behaviors and deliver real-time nudges.