We comment regularly on AI and its impact on cybersecurity, how artificial intelligence will be both friend and foe in the ongoing battle over network and data protection.
Even in the new AI era, email remains every organization’s biggest threat gateway. Why? Because it is the one that can still fall victim to simple user error.
And what makes a phishing email most dangerous? How legitimate it looks – that’s it. When a recipient believes the email is genuine, the clicking begins.
What spurred this blog post was an important, recent study from Avant Research and the Harvard Kennedy School showing that AI-supported phishing attacks are generating click-through rates of over 50%.
For those who might like to read details, here are two very recent articles worth a look:
AI-Supported Spear Phishing Fools More than 50% of Targets
AI-Generated Phishing Emails are Getting Very Good at Targeting Executives
A 50+% click rate is an astonishing number that no hacker would even dream of, which is what spurred me to remind our readers of the foundational steps every business must take to protect its email domain. The following are the bare minimum practices for any organization, by the way:
#1: MFA
Call it 2-factor authentication, multi-factor authentication or anything else you’d like, this is the single most important thing you can do to protect yourself online.
Very simply put: with MFA enabled, a cybercriminal could have your login credentials and still not be able to log into your account. Why? Because if you get a pop-up on your phone asking you to confirm a login you didn’t attempt, you will know there’s a problem and will change your password right away.
P.S. C-level leaders and IT admins, do not apply MFA to the rest of the company while exempting yourselves!
#2: Backup
“We’re on Microsoft 365 so our data is automatically backed up, right?”
In a word: no.
Employers, read the following, then re-read it for good measure: both Microsoft and Google Workspace work from a “shared responsibility” model. This means Microsoft (or Google) is responsible for the platform, but you are responsible for your data. While Microsoft ensures the infrastructure is secure, you need to ensure your data is backed up and protected – they each say this explicitly in their terms, and both recommend employing your own backup.
Cybersecurity, malicious insiders and even just simple accidental deletions by well-meaning employees: all can lead to significant data loss. With immutable backups in place, you’ll be protected from this very real threat.
But you can’t just talk about it, you must do it. And test it periodically.
#3: Employee Training
You think these are just silly, 5-minute video lessons and fake phishing emails that can often to be too easy to spot. Truth is, this kind of training is so much more valuable if incorporated into your organization correctly.
Use the gamification tools that the best training tools provide to reward employees who are “unphishable” and to minimally embarrass – yes, to call out – employees who fall for the fake phishing emails. Why?
What you want to create is a culture of skepticism. If employees are chasing small rewards and/or are interested in avoiding the company’s ‘naughty list’ of people who clicked on a fake phishing email, they will be on high alert for all suspicious-looking inbound emails.
Employers would be surprised how quickly employee habits in this regard can change with proper cyber training.
Conclusion
I don’t mean to cause a panic with this post. While AI is going to pose many cybersecurity challenges as it evolves, it is already part of the solution in many of the leading tools we ourselves employ to recognize and thwart cyber threats.
But for businesses out there who have routinely cut corners in their cyber hygiene habits, the world is becoming an increasingly dangerous place for your data.
P.S. Unsure if your organization’s email settings are secure? Make use of our free online tool for finding out. It’s powerful, fast and results show on screen in about 30 seconds. There’s no report to download and no email follow-up to wait for. Give it a try!
