peterschreiber.media - stock.ado
Despite email being used since the 1990s and a high level of awareness of the associated risks, 94% of organisations surveyed admit that it is still the top security vulnerability.
At the same time, email threats are expected to increase in the coming year, according to 87% of the 280 decision-makers in Europe, the Middle East and Africa polled by security firm Barracuda, with 75% reporting a steady increase in email attacks in the past three years.
Almost half (47%) of respondents said they had been hit by email-borne ransomware attacks, 31% were victims of a business email compromise attack, but the majority (75%) said they had been hit by brand impersonation attacks, also known as brandjacking.
The high proportion of brand impersonation attacks, the researchers said, supports the findings of a recent Barracuda report on spear phishing, which found that 83% of all the email attacks analysed focused on brand impersonation.
Finance departments are the most targeted by email-borne cyber attacks, according to 57% of respondents. However, 32% said customer support was their most attacked department, which could indicate a new trend for would-be attackers, according to researchers at Barracuda.
“Without proper employee training, these attacks will continue to succeed,” the researchers said in a blog post, noting that training was still hugely lacking across most organisations surveyed.
The largest group (29%) said they received security training only once a year, while 7% said they had either never had training or that they weren’t sure.
The lack of regular, in-depth security training, the researchers said, is leaving employees either confused or unaware of security protocols, with 56% of respondents stating that some employees do not adhere to security policies, and 40% of those saying their employees used “workarounds”.
Despite these findings, the researchers said there were indications that some organisations are taking measures to reduce email threats, even among the 62% of organisations that expect their security budgets to either remain the same or decrease.
Just over a third (36%) of respondents, for example, said they were implementing instant messaging applications such as Slack or Yammer to reduce email traffic. However, the researchers warned that while they have not seen attacks using messaging platforms such as Slack, this may well change in the future.
“Any organisation going down this route should do so with care, as if we know anything about cyber attackers, it’s that they’re always trying new ways to catch their victims out,” they said.
While a shift away from email to communications tools such as Slack might be tempting in the short term, the researchers said it may not be an effective tactic in the longer term because attackers are likely to change tactics in response to that shift.
“In the longer term, the right combination of technology and security awareness training is the key to email attack protection,” they said.
Read more about email security
- Mimecast continues to widen its cyber security capability through in-house development and strategic acquisition, as well as extend its core email security technologies to all other areas.
- Email-based cyber attacks are gathering momentum and the cost of these attacks is rising.
- How to improve security against email attacks and for GDPR compliance.
- UK businesses exposed to email-borne cyber risks, survey shows.