As we increasingly connect personal email addresses with access to cloud services, web apps and SaaS-based systems, the security of old-fashioned but “killer app” email has become more important than ever. For example, think about all the times you log into a web application of some kind and use your IDs from Facebook, Google, Yahoo or LinkedIn, which are usually email addresses.
Despite the fact that enterprises have invested billions in cybersecurity training and point solutions, the problems aren’t going away anytime soon.
The FBI reported that business email compromise (BEC) attacks enabled cybercriminals to steal more than $12 billion from October 2013 to May 2018. In 2017, that represented 48 percent of all internet crime-driven financial loss. Meanwhile, Verizon’s latest Data Breach Investigations Report showed that despite an emphasis on security training, one in 25 people will respond to any given phishing attack – not surprising as they have become both highly targeted and more sophisticated.
In this eWeek Data Point article, using industry information and data from GreatHorn, which specializes in cloud-native email security, we identify key trends fueling phishing’s success within the enterprise.
Data Point Trend No. 1: The Email Perception Gap
There is a stark difference in the average worker’s perception of email-based threats within the enterprise and the perception of security personnel. Two-thirds of non-security workers claim to never see any email threats besides spam, whereas 56 percent of security professionals see them at least weekly, in the form of impersonations, wire transfer requests, W2 requests, payload attacks/malware, business services spoofing, and credential theft.
The biggest challenge businesses face in email security is trust. Workers are clearly dismissing all unwanted messages as spam, and often mistakenly believe that their work email systems are inherently secure which makes them highly susceptible to phishing and social engineering attacks, especially as those attacks become more and more sophisticated.
Data Point Trend No. 2: Different Infrastructure, Different Email Security Strategies
The average business uses three separate email security solutions but there are some significant differences in security postures of businesses that use on-premises infrastructure versus cloud-first organizations.
On-premises companies were far more likely to use stand-alone anti-virus/anti-spam solutions, user awareness training and firewalls than their cloud counterparts. Meanwhile, cloud companies were far more likely to either use nothing, or simply “native cloud-email features.” Google, Microsoft and other cloud providers have significantly improved their security features but outsourcing the entire email security responsibility to cloud providers is a dangerous proposition, because cybercriminals have proven themselves capable of bypassing email filters and other anti-phishing technology.
Data Point Trend No. 3: Basic Email Threats are Pervasive
It’s not just ultra-sophisticated and personalized phishing attacks that reach workers: 1 in 6 see basic payload attacks bypassing their email security defenses, despite being arguably the most heavily guarded against threats. In addition, security professionals report the following:
- 19 percent report that they have weak or no remediation capabilities if an email threat reaches an end user;
- 21 percent believe their email security solution negatively impacts business operations (e.g. too many false-positives);
So not only are rudimentary email threats successful, but the security strategies organizations use are impeding the business. Meanwhile, the lack of good remediation options built into email security strategies make it difficult to mitigate the damage.
Data Point Trend No. 4: Impersonations are Still Phishers’ Weapon of Choice
Overall, nearly half (46 percent) of all business professionals see executive, internal, or external impersonations, with that number jumping to 65 percent among email security professionals. Business services spoofing was the second most prevalent email threat respondents experience, followed by wire transfers, credential theft, and payload/malware.
Data Point Trend No. 5: Phishing Overwhelms Security Pros
Sixty-five percent of respondents reported fundamental technical issues with their existing email security solution. This figure, taken with the fact that two-thirds of email security professionals acknowledge that email threats make it past defenses and into inboxes, demonstrates the failure of the binary email security philosophy that has dominated the industry. It’s not reasonable to believe that enterprise can stop 100 percent of all potential threats while simultaneously delivering a low false positive rate. Enterprises should assume that some amount of malicious mail will always find a way to reach employees–regardless of the company’s security posture.
Data Point No. 6: Summary
Cybercriminals’ window of opportunity becomes a barn door if IT and security professionals aren’t implementing basic email security hygiene. Forty percent of business professionals need to routinely take significant remediation actions – such as Powershell scripts, shutting down compromised inboxes, etc. – to counter basic attacks that are delivered to their inbox.
A Sisyphean mindset has created complacency around how good email security can really be. Nearly half of all respondents (46 percent) were “less than satisfied” with their current email security solution, with only 10 percent indicating they were “very satisfied.” Senior-level executives agreed and were much more likely to be actively “dissatisfied” or “very dissatisfied” by their email security solution (20 percent compared to 12 percent for the general population).
If you have a suggestion for an eWEEK Data Point article, email cpreimesberger@eweek.com.