89% of organisations experienced one or more successful email breaches during the previous year, leading to major costs.
Overwhelming numbers of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.
That is says a survey of business customers using Microsoft 365 for email commissioned by Cyren & conducted by Osterman Research, which looked at concerns with phishing, business email compromise (BEC), & ransomware threats, attacks that became costly incidents, & preparedness to deal with attacks & incidents.
Inbound Threats
“Security team managers are most concerned that current email security solutions do not block serious inbound threats, particularly ransomware, which requires time for response & remediation by the security team, before dangerous threats are triggered by users,” according to the report, released Wed.
Under half of those surveyed suggested that their organisations can block delivery of email threats. Also, under half of organisations rate their currently deployed email security solutions as ‘effective.’
Protections against impersonation threats are viewed as least effective, followed by measures to find & block mass-mailed phishing emails.
Email Breaches
So, it is perhaps little surprise that almost all of the organisations asked have experienced 1 or more types of email breaches.
89% of organisations experienced 1 or more successful email breach types during the previous year. The number of email breaches per year has almost doubled since 2019, according to the report, most of them due to successful phishing attacks that compromised Microsoft 365 credentials.
Explained the survey, successful ransomware attacks have increased by 71% in the last 3 years, Microsoft 365 credential compromise increased by 49% & successful phishing attacks increased by 44%.
Defensive Approaches
Investigating where email defence fails, the firms found that, surprisingly, use of email client plug-ins for users to report suspicious messages continues to increase. Half of organisations are now using an automated email client plug-in for users to report suspicious email messages for analysis by trained security professionals, up from 37% in a 2019 survey.
Security operations centre analysts, email administrators, & an email security vendor or service provider are the groups most usually managing these reports, although 78% of organisations notify 2 or more groups.
Also, user training on email threats is now offered in most companies, the survey found: More than 99% of organisations offer training at least annually, & 1 in 7 organisations offer email security training monthly or more frequently.
Threat-Markers
“Training more frequently reduces a range of threat-markers. Among organisations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organisations only training once or twice a year,” according to the report.
Further, the survey found that more frequent training results in more messages being reported as suspicious, & a higher share of these suspicious messages proving to be malicious after analysis by a professional.
So where is the breakdown? A conclusion: Only about a 5th (22%) of organisations analyse all reported messages for maliciousness.
Maliciousness
“How employees should determine the maliciousness of reported messages by themselves when they do not receive a verdict from security professionals is unclear,” explains the firms.
Generally, the survey also showed that organisations using at least 1 additional security tool to complement the basic email protections offered in Microsoft 365. However, their implementation efficacy varies, the survey found.
“Additive tools include Microsoft 365 Defender, security awareness training technology, a 3rd-party secure email gateway or a 3rd-party specialised anti-phishing add-on,” the report explained. “There is a wide range of deployment patterns with the use of these tools.”
Ineffective Defences
The firms concluded that these kinds of issues & ineffective defences in general cause major costs for organisations.
“Costs include post-incident remediation, manual removal of malicious messages from inboxes, & time wasted on triaging messages reported as suspicious that prove to be benign,” concludes the report. “Organisations face a range of other costs too, including alert fatigue, cyber-security analyst turnover & regulatory fines.”