Commentary from crisis management expert Edward Segal, author of the bestelling and award-winning book on crisis management, Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies (Nicholas Brealey, 2020) 

Emails are one of the weakest links in a company's defense against cyberattacks, and cyber thieves appear to be taking advantage of this vulnerability.

That's according to a new study released this month by Tessian, an email security platform.

"Organizations send and receive thousands of emails per day, making email a massive vulnerability for the enterprise and opening the door for advanced attacks like spear phishing, impersonation and ransomware," Tessian said in a press release.

"These types of attacks also ranked as the top email threat that security leaders are most concerned about," the company noted.

Tessian's 2022 Email Security Report found that:

• 92% of companies experienced a data breach caused by an end-user making a mistake on email—such as sending an email to the wrong person or failing to send the correct attachment.
• Nearly 1 in 5 of these attacks were successful; 39% of respondents cited the breach of customer data, 34% reported financial losses, and 32% experienced a ransomware infection.
• Smaller companies were most likely to receive email attacks from threat actors impersonating board members and investors. In contrast, larger companies received emails from threat actors who impersonated employees or company suppliers, reflecting how cybercriminals tailor their scams to make them more believable.

The survey was conducted in September 2022 for Tessian by third-party research house Censuswide, which queried 600 IT and security leaders in organizations across the U.S., UK, Middle East, and Africa.

The Latest Example

.American Airlines is the latest example of how businesses and organizations are vulnerable to e-mail-based cyberattacks.

In September, American Airlines reported a data breach it had discovered in July. "American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes," according to one news report.

The company notified told customers that "personal information such as an address, phone number, driver's license number, passport number and/or certain medical information may have been accessed by the hacker," Reuters reported

"We regret that this incident occurred and take the security of your personal information very seriously," American Airlines' chief privacy and data protection officer Russell Hubbard said in a letter to consumers," according to the news organization.

Seizing The Corporate Crown Jewels

According to the executive summary of the report, "threat actors are attempting to access corporate networks and are leveraging novel exploits to seize a business' crown jewels, namely its data. Email remains a leading initial attack vector...that does not appear likely to change."

"The issue of email as a go-to channel for threat actors is further complicated by the macroeconomic climate throughout the back half of 2022, with fears of a looming recession altering markets, and potentially headcounts moving into the next calendar year.

"Typically, malicious actors carry this out by baiting users with social engineering campaigns that can include impersonated pleas from trusted figures of authority or other fraudulent scams or promotions. Regardless, threat actors view the channel as one of the easiest inroads to compromising businesses," the report noted.

A Costly Crisis

"Just one employee taking the email bait from a phishing attack can bring a successful organization to its knees. Corporate emails, targeted through phishing and weaponized malware, are the main entry point for most breaches," Art Ocain, vice president of service delivery at cybersecurity company Airiam, said via email.

"Hackers are getting more innovative, and many employees unknowingly click a link or open an attachment and let the bad actors into the network," he observed.

In addition to the crisis that a data breach can create for a company, the attacks can be costly. According to a report by IBM, the average cost of a data breach in the U.S. was more than $9 million, or more than double the global average.

'The Solution Is Plain And Simple"

"When it comes to protecting against phishing attacks, it does seem like some employees always fall for them," David Moody, a senior associate of Schellman, a global cybersecurity assessor, observed via mail.

"The solution is plain and simple: There is no substitute for training.  A common method is to conduct simulated phishing exercises and use that information to identify and provide training for those who need it. There are companies who do this service for organizations and can also provide insight into larger company weaknesses, as well (such as email filtering and management policies)."

"Chief information security officers and business leaders need to focus on how they can defend and protect employees both within and, critically, beyond the walls of corporate systems," Josh Yavor, chief information security officer at Tessian, said via email.

"On the corporate side, security teams should focus on preventing as many malicious emails from reaching inboxes as possible but anticipating that some will get through.

""For those that do, they should ensure resilience by empowering employees with tools to help them avoid being tricked and by de-risking the impact of employees engaging with phishing emails by responding, opening files, or clicking links," he advised.