Although this survey is US based I still think it is worth highlighting how organisations are progressing or not, in protecting themselves against email threats and the very real threats that we face in the UK on a daily basis.
Email security continues to be the number one conncern for oganisations as attackers become more devious in how they conduct their attacks. Companies face evolving threats, which are often extremely personalised and mimic common real-world emails they receive. To better understand the climate of email security, A survey undertake by Barracuda of 660 IT professionals across various industries and locations on the impact of phishing.
An Increased Sense of Confidence
Sixty three per cent of professionals report that their organisation's data and systems are more secure than they were one year prior. Among the three regions surveyed — America; Europe, the Middle East, and Africa (EMEA); and the Asia-Pacific region (APAC) — APAC reported the highest sense of security (70%), while EMEA reported the lowest (52%). Although this rise is likely caused by an increased security presence and investment ineducation, if an organisation lacks the tools to detect these threats, it may be superficial.
Despite the figures showing an overall positive outlook, phishing and ransomware top the list of security risks that organisations are not fully prepared to deal with, as well as spearphishing, malware, viruses, data loss, spam, smishing, email account takeover, and vishing. Only 7% of organisations are not worried about any of these risks. In fact, email threats continue to proliferate and have a major impact. On average, 82% of organisations claim to have faced an attempted email-based security threat in the past year.
Loss from a Breach Is Not Just Financial
In addition to 74% of organisations reporting that email security attacks have had a direct business impact, they are also affecting the personal lives of IT security professionals, with nearly 76% experiencing higher stress levels, worrying outside the office, and being forced to work nights and weekends. APAC reports the highest levels of personal impact from email security attacks.
Additionally, an overwhelming 78% of organisations say the cost of email breaches is increasing, with 20% saying they are increasing dramatically. Identifying and remediating threats, communicating with those affected, business interruptions, and IT productivity losses are all factors, as well as potential data loss, regulatory fines, and brand damage.
As a result, 66% of respondents claim that attacks have had a direct monetary cost on their organisation in the last year. Twenty three per cent say attacks have cost their organisation $100,000 or more.
Employees Security Training
In conjunction with the previously noted increase in a sense of security, employees continue to play an integral role in their company's security. Ninety-four percent of organisations say employees are reporting suspicious emails to IT on a daily basis, but 58% say most emails reported to IT aren't actually fraudulent. More than three-quarters (79%) of organisations say their employees aren't good at spotting suspicious emails for a number of reasons, which shows a lack of readiness to spot email threats.
Only 21% say that the employees do a great job of alerting IT to suspicious emails only when needed. Additionally, 18% report that their employees were careless and did not recognise obviously suspicious emails.
These findings are concerning because phishing emails that prey on the poor security awareness of end users is one of the most common ways for attackers to download malware and steal data from organisations. Plus, reporting the wrong types of emails only wastes the time of already-stretched security teams. In addition to better awareness training, improved tools are needed to filter potentially dangerous emails and ensure they never make it into the inboxes of end users in the first place.
Phishing and Malware Are Commonplace
Email security is a challenge because there are several types of threats that are commonly seen. With increased security technology, attackers are using more personalised methods to engage with victims, often bypassing traditional security systems.
Phishing remains a major concern, as 43% of organisations have been the victim of a spearphishing attack in the past 12 months. Seventy-five percent of security professionals have personally received training on phishing in the last year, which is much needed because 70% of organisations have experienced a variety of direct business impacts as the result of these attacks.
Furthermore, most IT professionals (79%) say they are worried about attacks and breaches stemming from inside the organisation. Their fears are valid: A hacker could compromise an employee's email account via spearphishing and use it to target other with business email compromise attacks or phishing emails that appear very authentic.
In addition to phishing threats, a truly worrying 90% of Office 365 users have security concerns. Eighty-six percent of organisations agree that third-party email security solutions are essential for keeping an Office 365 environment secure.
The Future of Email Security
Email threats will continue to evolve at the same time as protection methods become more advanced. Organisations must keep email security in the forefront of their efforts and ensure that employees are educated and aware of their individual responsibility.