Four out of five organisations (80%) have faced an email-based cyber attack in the past year and 73% of IT security professionals say the frequency of such attacks is increasing, a survey has found.
Just 15% of respondents claimed not to have suffered an impact from email-borne threats, but even this is likely to be an over-estimate considering that sometimes the cause and effect linking cyber attacks to business damage are not immediately clear, the survey report said.
A 70% majority of individuals in a variety of security roles polled in 145 organisations in Europe, the Middle East and Africa by Barracuda Networks said they were more concerned about email security than they had been five years ago.
A majority (72%) also believed the cost of email-related breaches was increasing, with nearly a fifth claiming costs had escalated dramatically and 44% saying stolen information was the most costly because both customer data and sensitive IP could incur a major financial liability.
Respondents highlighted hidden costs such as distracting the IT team from other priorities (65%), disrupting employee productivity (52%), and reputation and remediation costs (44%).
To this, organisations must also add the prospect of potentially very large fines under the General Data Protection Regulation (GDPR) and the NIS Directive that covers the essential services sector.
At the heart of the problem is that while email was created to withstand modern cyber security threats, most organisations rely on email for collaboration with colleagues, external partners and suppliers, send and receive invoices, and engage with customers.
“Email was built for a different time, one in which cyber threats were few and far between. It should come as no surprise that email is the number one threat vector facing organisations today, with new email-borne attacks grabbing the headlines on a regular basis,” said Chris Ross, senior vice-president international at Barracuda.
Chris Ross, Barracuda
Although newer web-based communication and collaboration systems have emerged in recent years, email remains the gold standard for IT because it is fast, convenient, simple to use, cost-effective and auditable.
Email-related cyber threats
According to security researchers at Barracuda, however, email is the top threat vector facing organisations due to the growing number of email-related threats. These include business email compromise, ransomware, banking trojans, phishing, social engineering, information-stealing malware and spam.
These are compounded by the risk of accidental disclosure of sensitive information via email. Of the 3,325 data security incidents reported by the UK’s Information Commissioner’s Office (ICO) in the 2017-18 financial year, the most common type of distinct incident was emails being sent to the wrong person.
In the light of the fact that data shows Europe suffers the highest economic impact of cyber crime in the world and the strict new rules around cyber security and personal data protection introduced by the GDPR and NIS Directive, it is time for organisations to better understand where they are most exposed and what they can do to minimise damage, the survey report said.
Email is the number one threat vector, according to Barracuda researchers, precisely because it allows malicious third parties to directly target employees within an organisation, underlining the importance of user education around email-related cyber threats.
Despite the availability of tools and technologies such as email encryption, data loss prevention, social engineering detection, phishing simulation and artificial intelligence that can help mitigate these threats, the survey revealed that the vast majority of respondents believed user training and awareness programmes were a vital pre-requisite to improving email security.
Survey respondents recognised the insider threat, claiming that poor employee behaviour (79%) was a greater email security concern than inadequate tools (21%).
There was most concern over individual staff members falling victim (47%), although executives (37%) were also viewed as a potentially dangerous weak link in the security chain. Finance (26%) and sales (18%) departments were viewed with most caution.
Topping concerns for respondents were the fact that these roles and departments have access to sensitive information and systems and were most likely to be targeted.
Train staff in email security
The vast majority (89%) of IT security experts agreed that user training and awareness programmes were important, with over a third (35%) claiming they were critically so. However, a sizeable proportion of companies (35%) still do not train their employees how to spot phishing attacks.
While training staff effectively should be a key part of any cyber security programme, the report noted that not all approaches were created equal.
Experts recommended using unscheduled simulations of real-world attack simulations (45%) and customised examples that could be tailored to make them more relevant to department and role (61%). Also recommended were regularly scheduled modules that could be completed at the employee’s convenience (48%).
The report said it was encouraging that 30% of respondents had sought the help of a third-party training provider. With in-house training skills increasingly hard to come by, outsourcing this to an expert provider could offer a low-cost and highly effective way to turn employees into a formidable first line of defence, the report said.
Email has always suffered from a lack of built-in security, and while protocols such as Dmarc can help, phishing, malware and BEC-related fraud remain major challenges to IT security teams, the report said.
Combined with a renewed focus on more progressive approaches to staff training, IT security bosses can begin to fight back, and by outsourcing training to an expert provider, IT teams can focus on more strategic initiatives and ensure cyber security remains a driver of growth and competitive differentiation, the report concluded.
“A combination of the right training with the right technology will help businesses to increase their preparedness for email attacks,” said Ross.
“Respondents claimed social engineering detection (66%) and phishing simulations (61%) were the most beneficial to the organisation. Yet there was also some hope that evolving technologies such as artificial intelligence or machine learning could be a good fit for email security, alongside threat detection (60%).
“The one thing that all of these technologies have in common is their ability to protect individual employees. According to these findings, that’s going to be absolutely critical in the future to ensure that our continuing obsession with email doesn’t become a fatal attraction,” he said.