Email security remains one of the most critical concerns for the modern organisation, explains Richard Frost, Head of Consulting at Armata Cyber Security
The small to medium enterprise (SME) faces an uphill battle when it comes to managing costs, regulations, compliance and red tape. It’s regulations, it’s accounting, it’s meeting endless bureaucratic deadlines, and it’s navigating payments and paperwork which means the average SME loses 202 days a year to admin. It also means essential security protocols and planning often falls by the wayside, and this translates to a hefty R49.45 million bill that comes due when the SME is breached.
The Cost of a Data Breach Report 2023 by the Ponemon Institute found that the average cost of a data breach globally has increased by 10% to reach $4.88 million. In South Africa, the incidence rate has increased by 8% since 2022. And the second most common form of successful attack? Business emails. The primary reason for these attacks? Human and IT errors. According to the report, nearly 50% of breaches are caused by either human mistakes or IT system failures.
A significant percentage of attacks start with email because social engineering remains one of the most powerful weapons in the cybercriminal’s arsenal. While some malicious emails are very obvious, many are extremely sophisticated and well-written. Often, they’re designed to target a very specific audience segment with content that lures them into making an expensive mistake. For example, cybercriminals profile decision-makers within the business, profile them, and then construct an email designed to entice them to open the attachment. The fact that people keep clicking on those attachments is why emails remain at the top of the list for the easiest way to get into the organisation.
These emails are designed to trigger an emotive response. During the pandemic, it took the form of a COVID-19 update, today it could be an email designed to look like it comes from your bank warning you that your account is about to be closed. Some hackers even send emails that look exactly like those from reputable financial institutions claiming that your account has just been hacked and to immediately log in and change your password. The only problem is that you’re changing your password for the hackers, not the bank.
Another very common approach is to send an invoice from a regular supplier, only the latter has been spoofed and the payment is going into a hacker’s account. When business owners are busy and stressed, they often don’t realise that the bill they are paying is a fake. People trust emails which makes it very easy to manipulate them into making expensive mistakes.
With the Mimecast State of Email and Collaboration Security 2024 report showing that 74% of all cyber-breaches are caused by humans – social engineering, stolen credentials, errors and social engineering – it’s essential that SMEs invest in tools designed to mitigate the threats. This involves constant vigilance through training that puts email security at the top of everyone’s mind, and investing in an email security solution that prevents a significant number of these threats from arriving in the business inbox.
Data breaches are seen as an even greater threat than inflation and climate change. Threat actors are making more money on cybercrime than Pablo Escobar made at the height of his career. Not only are companies faced with the cost of the attack, but they are now at risk of liability and fines from the regulator due to POPIA. Over the past few years, some of the biggest names in South Africa have been hit by an attack – Liberty, Dis-Chem, Transnet, Experian – underscoring just how capable and powerful these email threats have become.
While the cost of doing business as an SME is high, compromising on email security is not the way forward. Investing in a solution capable of protecting your people from threats means reducing the likelihood of them clicking on that link, opening up that document, or spending your money on a fake bill. Email security is also more than just a digital security guard checking the validity of emails entering the business, many solutions and service providers also offer training, user awareness and ongoing security support to protect against the onslaught.
In today’s threat landscape, email security isn’t just another business expense—it’s an essential investment. While SMEs face numerous cost pressures, the cost of resilient email security is only a tiny percentage compared to the devastating financial and reputational impact of a breach. Protection isn’t optional; it’s a business imperative.