On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.
That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.
“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.
Less than half of those surveyed said that their organizations can block delivery of email threats. And, correspondingly, less than half of organizations rank their currently deployed email security solutions as effective.
Protections against impersonation threats are viewed as least effective, followed by measures to detect and block mass-mailed phishing emails.
Thus, it’s perhaps no surprise that almost all of the organizations polled have experienced one or more types of email breaches.
In fact, 89 percent of organizations experienced one or more successful email breach types during the previous 12 months. And, the number of email breaches per year has almost doubled since 2019, according to the report, most of them due to successful phishing attacks that compromised Microsoft 365 credentials.
Overall, according to the survey, successful ransomware attacks have increased by 71 percent in the last three years, Microsoft 365 credential compromise increased by 49 percent and successful phishing attacks increased by 44 percent.
Ineffective Defensive Approaches
Digging into where email defense breaks down, the firms found that, surprisingly, use of email client plug-ins for users to report suspicious messages continues to increase. Half of organizations are now using an automated email client plug-in for users to report suspicious email messages for analysis by trained security professionals, up from 37 percent in a 2019 survey.
Security operations center analysts, email administrators, and an email security vendor or service provider are the groups most commonly handling these reports, although 78 percent of organizations notify two or more groups.
Also, user training on email threats is now offered in most companies, the survey found: More than 99 percent of organizations offer training at least annually, and one in seven organizations offer email security training monthly or more frequently.
“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” according to the report.
Further, the survey found that more frequent training results in more messages being reported as suspicious, and a higher share of these suspicious messages proving to be malicious after analysis by a security professional.
So far so good. So where’s the breakdown? One concerning finding: Only about a fifth (22 percent) of organizations analyze all reported messages for maliciousness.
“How employees should determine the maliciousness of reported messages by themselves when they do not receive a verdict from security professionals is unclear,” according to the firms.
Across the board, the survey also showed that organizations using at least one additional security tool to complement the basic email protections offered in Microsoft 365. However, their implementation efficacy varies, the survey found.
“Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on,” the report explained. “There is a wide range of deployment patterns with the use of these tools.”
The firms concluded that these kinds of holes and ineffective defenses in general translate into major costs for organizations.
“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign,” according to the report. “Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover and regulatory fines.”