Story image

Opinion: Weighing up the email security threat in EMEA

12 Jun 2018

Article by Barracuda international SVP Chris Ross

Despite numerous attempts to dethrone it over the past few years, email continues to be the defacto for business communications. In research published last year, The Radicati Group estimated that more than 281bn email messages would be sent every day in 2018.

Email certainly isn’t going anywhere in a hurry. Which is music to the ears of cyber attackers.

Email was built for a different time, one in which cyber threats were few and far between. It should come as no surprise that email is the number one threat vector facing organisations today, with new email-borne attacks grabbing the headlines on a regular basis. Terms like ransomware, social engineering, phishing and trojans have gained widespread recognition.

We wanted to find out more about the impact of the email security challenge facing IT security practitioners but also the threat posed by the crucial human factor. So we conducted a short survey, generating around 630 global responses, of which 145 came from EMEA organisations.

More attacks + higher costs = greater risk

It was no surprise to hear that email security threats show no sign of slowing down. Four out of five organisations (80%) faced an attack during the past year, whilst nearly three quarters of EMEA respondents (73%) felt that the frequency is increasing. This paints an even more worrying picture when combined with the fact that the vast majority of respondents (72%) felt that the cost of email related breaches was increasing, with nearly a fifth claiming costs have escalated dramatically.

When asked about ransomware specifically, 30% of respondents said that their organisation had fallen victim, with nearly three quarters saying that these attacks had originated via email. Yet 81% claimed not to have paid the ransom, a tactic recommended by law enforcers and experts. How, then is the cost of email breaches on the rise?

The answer comes in more indirect costs such as distraction of IT teams from other priorities, cited by 65%, and disruption of employee productivity, an issue for 52%. Lost staff productivity and business interruption will certainly hit the bottom line, alongside the identification, remediation and clean up of threats and other consequences of cyber attacks. Add to this the reputation and remediation costs of information being stolen, something identified by 44%, and you can see where costs of increasing attacks are mounting up.

It’s no surprise then that 70% of IT professionals told us they were more concerned about email security now than they were five years ago.

The size of the insider threat

One of the reasons that email threats are so effective is that they allow attackers to directly target employees. One wrong click could be enough to let the bad guys in, making employee behaviour hugely important in the fight against email threats. Respondents recognised this, with 79% claiming that poor employee behaviour was a greater concern than inadequate tools. There was most concern about individual staff members falling victim (47%) though executives (37%) were also viewed as a potentially dangerous weak link in the security chain. Departments with access to sensitive information were seen as most at risk, with finance (26%) and sales (18%) departments singled out.

When it comes to minimising the human risk the vast majority (89%) of IT security experts believe that end-user training and awareness programmes are important, with over a third (35%) claiming they’re critically so. However, a sizeable number (35%) still don’t train their employees on how to spot phishing and spear-phishing. Given that Verizon claims that phishing was responsible for 93% of all breaches it analysed last year this is quite concerning.

Combining technology and training

With in-house training skills increasingly hard to come by and IT teams having their time taken up by multiple priorities, it’s heartening to see that 30% of EMEA respondents have sought the help of a third-party training provider.

A combination of the right training with the right technology will help businesses to increase their preparedness for email attacks. Respondents claimed social engineering detection (66%) and phishing simulations (61%) were the most beneficial to the organisation. Yet there was also some hope that evolving technologies such as artificial intelligence or machine learning could be a good fit for email security alongside threat detection (60%).

The one thing that all of these technologies have in common is their ability to protect individual employees. According to these findings that’s going to be absolutely critical in the future to ensure that our continuing obsession with email doesn’t become a fatal attraction.

Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.