Email security as important as ever, report shows

The majority (74%) of businesses that took part in a survey say email-borne cyber attacks are having a major impact and 78% said the cost of email breaches is increasing.

On average, 82% of organisations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region.

The most common effects cited were loss of employee productivity, downtime and business disruption, recovery costs, loss of data, financial impact, and damage to the reputation of the IT team, according to the 2019 Email security trends report by Barracuda.

The report, based on a survey of 660 IT security professionals globally at small, medium and large enterprises in a wide range of industry sectors, indicates that although most (63%) IT professionals are more confident about their email security systems than they were a year ago, email attacks continue to have a significant impact on businesses.

A top concern is widespread phishing, particularly spear phishing, with 43% of organisations reporting spear phishing attacks in the past 12 months.

Asked about the impact of spear phishing attacks, 43% of respondents said machines had been infected with malware, 33% reported stolen credentials, 20% reported monetary loss and 17% said sensitive or confidential data had been stolen.

Ransomware is another top concern because ransomware attacks that encrypt critical business data and demand payment in return for a decryption key are often sent to individuals in organisations by email.

A recent report by security firm SonicWall indicated a resurgence of ransomware around the world in the first half of 2019, attributed in part to the emergence of ransomware as a service (RaaS) providers in hacker forums.  

Other email-borne threats that businesses are worried about include malware, viruses, data loss, spam, smishing, email account takeover and vishing. Only 7% of organisations polled said they are not worried about any of these risks.

Breach costs and monetary losses are on the rise, the report shows, with 78% of organisations saying the financial impact of email breaches is increasing dramatically due to costs associated with identifying and remediating threats, communicating with those affected, business interruptions, and productivity losses.

As a result, 66% of organisations claimed that attacks have had a direct monetary cost to their organisation in the past year, with nearly a quarter saying attacks have cost $100,000 (£80,400) or more.

While 88% of respondents said their organisations had virus and malware filters in place and 85% said they had spam filters, only 68% said they had email authentication measures in place, and 55% said they had security training. Fewer still had sandboxing technology (29%), automated incident response (25%), spear phishing protection (23%) and account takeover protection (22%).

Spending on email security is a positive sign, the report said, underscoring the fact that organisations understand the seriousness of current threats. The survey shows 48% of organisations are spending more than last year, 45% are spending the same, and only 7% are spending less.

The increased investment in email security tools reflects the growing sophistication of the attacks and the need to protect against potential damage from evolving threats, said the report.

However, the report noted that organisations are underinvesting in tools designed to protect email beyond the traditional security gateway, such as automated incident response, spear phishing protection and tools to prevent account takeover.

Only 4% of respondents rated their organisation’s remediation capabilities to address malicious emails as “excellent”, while 58% said their organisation was “very good” but could do better, 35% said its capabilites were “acceptable” but miss some advanced attacks, and 3% said their organisation’s capabilties were “inadequate” and most attacks were missed.

The amount of time spent investigating and remediating attacks is also cause for alarm, the report said, with 55% of firms admitting they take more than an hour to do so.

“A delayed incident response could be enough time for hackers to infect an entire organisation with ransomware or steal sensitive data,” said the report. “Organisations increasingly need automated incident response to cut through complexity, accelerate time-to-detection and free up stretched and stressed security staff.”

Based on the success and proliferation of email-based attacks, the report said IT security professionals will need to stay focused on the evolution and escalation of phishing, ransomware and other threats and improve email security that goes beyond the traditional gateway.