SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Weighing up the email security threat in EMEA
Tue, 12th Jun 2018
FYI, this story is more than a year old

Despite numerous attempts to dethrone it over the past few years, email continues to be the defacto for business communications. In research published last year, The Radicati Group estimated that more than 281bn email messages would be sent every day in 2018.

Email certainly isn't going anywhere in a hurry. Which is music to the ears of cyber attackers.

Email was built for a different time, one in which cyber threats were few and far between. It should come as no surprise that email is the number one threat vector facing organisations today, with new email-borne attacks grabbing the headlines on a regular basis. Terms like ransomware, social engineering, phishing and trojans have gained widespread recognition.

We wanted to find out more about the impact of the email security challenge facing IT security practitioners but also the threat posed by the crucial human factor. So we conducted a short survey, generating around 630 global responses, of which 145 came from EMEA organisations.

More attacks + higher costs = greater risk

It was no surprise to hear that email security threats show no sign of slowing down. Four out of five organisations (80%) faced an attack during the past year, whilst nearly three quarters of EMEA respondents (73%) felt that the frequency is increasing. This paints an even more worrying picture when combined with the fact that the vast majority of respondents (72%) felt that the cost of email related breaches was increasing, with nearly a fifth claiming costs have escalated dramatically.

When asked about ransomware specifically, 30% of respondents said that their organisation had fallen victim, with nearly three quarters saying that these attacks had originated via email. Yet 81% claimed not to have paid the ransom, a tactic recommended by law enforcers and experts. How, then is the cost of email breaches on the rise?

The answer comes in more indirect costs such as distraction of IT teams from other priorities, cited by 65%, and disruption of employee productivity, an issue for 52%. Lost staff productivity and business interruption will certainly hit the bottom line, alongside the identification, remediation and clean up of threats and other consequences of cyber attacks. Add to this the reputation and remediation costs of information being stolen, something identified by 44%, and you can see where costs of increasing attacks are mounting up.

It's no surprise then that 70% of IT professionals told us they were more concerned about email security now than they were five years ago.

The size of the insider threat

One of the reasons that email threats are so effective is that they allow attackers to directly target employees. One wrong click could be enough to let the bad guys in, making employee behaviour hugely important in the fight against email threats. Respondents recognised this, with 79% claiming that poor employee behaviour was a greater concern than inadequate tools. There was most concern about individual staff members falling victim (47%) though executives (37%) were also viewed as a potentially dangerous weak link in the security chain. Departments with access to sensitive information were seen as most at risk, with finance (26%) and sales (18%) departments singled out.

When it comes to minimising the human risk the vast majority (89%) of IT security experts believe that end-user training and awareness programmes are important, with over a third (35%) claiming they're critically so. However, a sizeable number (35%) still don't train their employees on how to spot phishing and spear-phishing. Given that Verizon claims that phishing was responsible for 93% of all breaches it analysed last year this is quite concerning.

Combining technology and training

With in-house training skills increasingly hard to come by and IT teams having their time taken up by multiple priorities, it's heartening to see that 30% of EMEA respondents have sought the help of a third-party training provider.

A combination of the right training with the right technology will help businesses to increase their preparedness for email attacks. Respondents claimed social engineering detection (66%) and phishing simulations (61%) were the most beneficial to the organisation. Yet there was also some hope that evolving technologies such as artificial intelligence or machine learning could be a good fit for email security alongside threat detection (60%).

The one thing that all of these technologies have in common is their ability to protect individual employees. According to these findings that's going to be absolutely critical in the future to ensure that our continuing obsession with email doesn't become a fatal attraction.