Sergey Nivens - stock.adobe.com
Just over half of UK firms don’t have a cyber resilience plan
Many UK firms still lack cyber resilience and data protection capabilities covering email a year after the implementation of the GDPR aimed at improving personal data protection
Some 52% of IT decision makers polled in the UK admit they do not have a cyber resilience strategy in place, despite 51% saying they believe it is likely or inevitable they’ll suffer a negative business impact from an email-borne cyber attack in the next 12 months.
The EU’s General Data Protection Regulation (GDPR) states that data must be processed in a manner that ensures the security of personal data, including protection against accidental data loss, destruction or damage.
However, 40% of UK IT decision makers say data is the single greatest loss following an email-based impersonation attack commonly known as business email comromise, according to the independent survey commissioned by email security firm Mimecast and conducted by Vanson Bourne.
According to Mimecast, GDPR requirements present a special challenge for managing email because this critical infrastructure is the most common point of attack for cyber criminals.
To ensure compliance, Mimecast said organisations need to maintain security and ensure that personal data in email remains safe at all times. This should be paired with powerful archiving systems to enable them to find and delete email messages quickly upon a user’s request.
Yet, one year on from its implementation, the survey found that only 37% of UK IT decision makers say archiving and e-discovery is included in their organisation’s cyber resilience strategy.
With human error posing as one of the biggest risks to an organisation, Mimecast said email security and compliance best practices need to start from the top down to every single employee, with ongoing cyber awareness training being as critical as any other security system.
Educating employees on how to spot the tell-tale signs of suspicious emails is key to ensuring a business remains compliant, according to Mimecast. Despite this risk, only 57% of UK employees say their company offers training sessions.
“Email can be a powerful business tool. But if it isn’t considered as part of an organisation’s core security strategy, it can become a major vulnerability,” said Marc French, chief trust officer at Mimecast.
“Despite GDPR being in place, many businesses still do not realise the magnitude of personal information that can be hidden within email systems,” he said.
Ever-growing email archives, said French, mean there is near certain chance businesses are holding on to sensitive personal data as defined by GDPR. “With email the number one vector of choice for hackers looking to infiltrate corporate systems, this is a fundamental security flaw,” he said.
Many organisations are still working towards GDPR compliance far beyond the deadline that passed last year, said French.
“As a mission-critical priority, businesses should reassess whether their email archiving strategy is up to scratch and whether it has the capabilities to deliver. Re-evaluation of wider security systems also needs to be a priority. Security now must go beyond archive encryption and look to guard against impersonation attacks and malicious links so that breaches are prevented.”
Read more about email security
- Mimecast extends core email security through in-house development and strategic acquisition to enable cyber resilience.
- Email-based cyber attacks are gathering momentum and the cost of these attacks is rising, with several hidden costs, a survey reveals.
- email is constantly exploited by attackers, and yet is often overlooked in cyber security and GDPR compliance strategies.
- UK businesses exposed to email-borne cyber risks, the most common form of cyber attack.