Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/5/2019
02:00 PM
Mike Flouton
Mike Flouton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The State of Email Security and Protection

Phishing and ransomware top the list of security risks that organizations are not fully prepared to deal with.

Email security continues to be top of mind for organizations as attackers become more devious in how they conduct their attacks. Companies face evolving threats, which are often extremely personalized and mimic common real-world emails they receive. To better understand the climate of email security, Barracuda surveyed 660 IT professionals across various industries and locations on the impact of phishing.

An Increased Sense of Confidence
Sixty-three percent of professionals report that their organization's data and systems are more secure than they were one year prior. Among the three regions surveyed — America; Europe, the Middle East, and Africa (EMEA); and the Asia-Pacific region (APAC) — APAC reported the highest sense of security (70%), while EMEA reported the lowest (52%). Although this rise is likely caused by an increased security presence and education practices, if an organization lacks the tools to detect these threats, it may be superficial.

Despite an overall positive outlook, phishing and ransomware top the list of security risks that organizations are not fully prepared to deal with, along with spearphishing, malware, viruses, data loss, spam, smishing (that is, phishing via text message), email account takeover, and vishing (phishing via phone). Only 7% of organizations are not worried about any of these risks. In fact, email threats continue to proliferate and have a major impact. On average, 82% of organizations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region.

Loss from a Breach Is More Than Financial
In addition to 74% of organizations reporting that email security attacks have had a direct business impact, they are also affecting the personal lives of IT security professionals, with nearly three-quarters experiencing higher stress levels, worrying outside the office, and being forced to work nights and weekends. APAC reports the highest levels of personal impact from email security attacks.

In addition, an overwhelming 78% of organizations say the cost of email breaches is increasing, with one-fifth saying they are increasing dramatically. Identifying and remediating threats, communicating with those affected, business interruptions, and IT productivity losses are all factors, as well as potential data loss, regulatory fines, and brand damage.

As a result, 66% of respondents claim that attacks have had a direct monetary cost on their organization in the last year. Nearly a quarter (23%) say attacks have cost their organization $100,000 or more.

Employee Education
In conjunction with the previously noted increase in a sense of security, employees continue to play an integral role in their company's security. Ninety-four percent of organizations say employees are reporting suspicious emails to IT on a daily basis, but 58% say most emails reported to IT aren't actually fraudulent. More than three-quarters (79%) of organizations say their employees aren't good at spotting suspicious emails for a number of reasons, which shows a lack of readiness to spot email threats.

Only 21% say that the employees do a great job of alerting IT to suspicious emails only when needed. Additionally, 18% report that their employees were careless and did not recognize obviously suspicious emails.

These findings are concerning because phishing emails that prey on the poor security awareness of end users is one of the most common ways for attackers to download malware and steal data from organizations. Plus, reporting the wrong types of emails only wastes the time of already-stretched security teams. In addition to better awareness training, improved tools are needed to filter potentially dangerous emails and ensure they never make it into the inboxes of end users in the first place.

Phishing and Malware Are Common
Email security is a challenge because there are several types of threats that are commonly seen. With increased security technology, attackers are using more personalized methods to engage with victims, often bypassing traditional security systems.

Phishing remains top of mind, as 43% of organizations have been the victim of a spearphishing attack in the past 12 months. Seventy-five percent of security professionals have personally received training on phishing in the last year, which is much needed because 70% of organizations have experienced a variety of direct business impacts as the result of these attacks.

Furthermore, most IT professionals (79%) say they are worried about attacks and breaches stemming from inside the organization. Their fears are valid: A hacker could compromise an employee's email account via spearphishing and use it to target other with business email compromise attacks or phishing emails that appear very authentic.

In addition to phishing threats, an overwhelming 90% of Office 365 users have security concerns. Eighty-six percent of organizations agree that third-party email security solutions are essential for keeping an Office 365 environment secure.

The Future of Email Security
Email threats will continue to evolve at the same time as protection methods become more advanced. Organizations must keep email security in the forefront of their efforts and ensure that employees are educated and aware.

Releated Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How HR and IT Can Partner to Improve Cybersecurity."

Mike Flouton is vice president for Barracuda's email security business. In this role, he oversees product management for Barracuda's portfolio of email security solutions: Barracuda Total Email Protection, Barracuda Essentials, Barracuda Sentinel, and Barracuda PhishLine. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theenan@towerdata.com
50%
50%
[email protected],
User Rank: Apprentice
11/7/2019 | 1:49:08 PM
The Email Address A Part of Verification and Identity Risk Assessment
Great article. The email address is now an integral part of verification and identity risk assessment checks, much like name, address, Social Security number, date of birth and even phone number.  In fact, because of the opportunity to analyze a deeper set of attributes around an email account, it often proves more valuable. Email intelligence offers companies rich profile information, even work history, that companies can use to quickly verify if a person is who they say they are.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...