Email Security: Why Click Rates Are Insufficient and What to Focus On Instead

The article from Material Security, as reported by BleepingComputer, highlights a critical flaw in traditional email security metrics: the over-reliance on click rates. While click rates can indicate how often employees fall for phishing attacks, they do not measure the actual impact of a successful attack. The real danger lies in the actions that an attacker can take once they have gained access to an email account. Technically, when an attacker compromises an email account, they can leverage the account's permissions to access sensitive data, send malicious emails to other employees or external contacts, and even create automated rules to forward emails to external addresses. This can lead to data breaches, financial loss, and reputational damage. Moreover, attackers can use compromised accounts to spread malware or conduct further phishing attacks, amplifying the impact of the initial breach. The article suggests that organizations should shift their focus from preventing initial clicks to containing the damage and evaluating the impact post-compromise. This involves implementing robust monitoring systems to detect unusual activity, such as logins from unusual locations or at unusual times. Additionally, organizations should limit the permissions of compromised accounts to prevent attackers from accessing sensitive data or spreading malware. From an expert perspective, this shift in focus is consistent with the broader trend in cybersecurity towards detection and response. While prevention is important, it is not enough to rely on it alone. Organizations must assume that breaches will happen and have a plan in place to respond effectively. This includes not only technical measures such as monitoring and access controls, but also incident response plans that outline the steps to be taken in the event of a breach. In conclusion, while click rates can provide some insight into the effectiveness of security awareness training, they are not a sufficient metric for measuring email security. Organizations should focus on containing the damage and evaluating the impact post-compromise, rather than merely preventing initial clicks. This shift in focus is essential for effectively managing the risks posed by email-based attacks.