Email attacks are cheap, easy, low risk, and high reward. No wonder a “malicious Email is the cyber spy’s favored way in.” An email security breach could impact your organization’s revenue and reputation. Protecting yourself from a breach can be daunting, given how many emails pass through your organization each week.

But if you think of cybercriminals as a business, you can keep up with them more effectively. After all, most want to make a profit. They work in a well-oiled, thriving criminal industry. Their operations involve partnerships, specializations, and supply chains. These criminal enterprises often share information with each other when it is mutually beneficial, but at other times compete to attack the most profitable targets. Rather than thinking of a clandestine hacker working out of a basement, you will be better served to picture a sophisticated, professional operation working out of an office tower. To strengthen your digital resilience, adopt a competitor’s mindset.

Lies, Deceit, and Email Attacks

Before you can mitigate your organization’s security risks, it’s important to understand how email gets companies in trouble. The most common type of email attack is phishing, fraudulent emails purporting to be from a potentially relevant entity such as a shipping firm, major bank, or tax authority. The email attempts to trick recipients into revealing personal data, opening a malicious attachment, or clicking a link that installs malware.

These broad phishing attacks are not targeted. It’s a volume play, as any strategist would recognize, and it preys on our shared human weaknesses. We’re digital-first, we aim to please, and we’re used to moving fast. We share lots of information instantaneously online. We trust our digital communication tools — social media, email, messaging. And the tendency to click and share before thinking about the risks is exactly how we become victims.

Spear-phishing attacks, in contrast, are much more sophisticated. They are not volume plays. Think of them as targeted ads for premium customers. With spear phishing, the email is targeted at a specific individual or organization of which the attacker has cultivated deep knowledge. Spear-phishing emails have been used in many of the most notorious attacks, including the 2017 French presidential election and the infamous attack on the Democratic National Committee. DNC staffers received emails, claiming to be from Google, saying that a sign-in attempt had occurred in Ukraine and that they should change their passwords immediately. One survey of IT decision makers found that the average cost of a successful spear-phishing attack is $1.6 million.

Impersonation attacks are even more specialized spear-phishing attacks, ones that occur when attackers pose as an individual you know and trust. To gain this trust, a cybercriminal will mine information so they can credibly assume that person’s identity. A cybercriminal might impersonate a CFO or CEO, and then send an email to accounts payable asking for a wire transfer, or to HR requesting a dump of employee tax information. Workers at technology giants Facebook and Google — filled with tech-savvy people — fell for such a scam that almost cost them $100 million.

Another type of phishing attack that is growing in popularity is ransomware. The recent, well-publicized WannaCry outbreak highlights what makes these attacks especially unnerving: their ability to disrupt entire organizations by freezing IT systems. Ransomware is a type of malware that prevents victims from accessing their systems or data by locking them out until a ransom is paid. WannaCry hit numerous hospitals in the UK, forcing them to divert emergency patients to unaffected hospitals.

You Understand Cybercriminals Better Than You Think

To fight this myriad of possible attacks, you need to adopt a competitive mindset. Consider how someone would go about making money from attacking your organization. Ask yourself:

• In the case of an attack, what data or systems could someone demand the highest ransom for? What could they most readily monetize on the black market?
• Which employees have the most financial power, influence, and access? Whom do they work with? How could someone trick them or use them to trick others? What information is available about them on social media?
• What systems, data, or business processes can your organization least afford to live without?
• What suppliers or partners have access to your digital assets?

Once you’ve answered those questions, you can get to work with a renewed focus. With the right technology, training, and business processes, you can strengthen your cyber resilience.

First and foremost, employ advanced email security controls. Use modern, secure email gateway systems, not email security systems, which only focus on stopping spam or known types of malware. As you now see, the most dangerous attackers have moved far beyond blasting out threats indiscriminately. Integrate email security into your organization’s risk management program. Security is a business problem more than an IT problem.

Second, understand the value of your data. After all, it’s the bargaining chip in ransomware attacks. Identify the systems you could not stand to lose, and then prioritize security around them. By doing so, you can deploy strong security and backup and recovery programs where they are most needed. It’s also important to take a close look at your vulnerability patching program. Can you speed it up or prioritize it more? WannaCry took advantage of hundreds of thousands of unpatched systems. Organizations should stop using old or unsupported operating systems and applications. And certainly do not use pirated software — which, surprisingly, was another weakness exploited by WannaCry.

Third, your employees are your last line of defense, so you need to train them to be more aware of threats and to understand what to do when they think they have spotted one. In a survey of IT decision makers, just 25% of respondents were confident that their employees could spot and defend against phishing attacks. For a Fortune 500 company, it might seem daunting to train many thousands of employees. Start with the employees that would be at most risk: those with financial power and access to sensitive data. Your valuable employees are even more valuable if they are smart and cautious.

Whether your organization operates in the private sector or in government, you are of interest to cybercriminals. They are relentless, focused, and well funded. Success against them is possible, but it requires intense focus and a competitor’s mindset.