Magazine Button
99% of cybersecurity leaders are stressed about email security

99% of cybersecurity leaders are stressed about email security

CybersecurityTop Stories

Egress, a cybersecurity company that provides intelligent email security, has released its Email Security Risk 2023 report. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organisations falling victim to successful phishing attacks in the last 12 months, while 91% of organisations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.

“The growing sophistication of phishing emails is a major threat to organisations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilise social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

Email Security Risks Report 2023: Key findings

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognising their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk. 

Organisations continue to fall victim to phishing attacks 

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

  • 86% of surveyed organisations were negatively impacted by phishing emails
  • 54% of organisations suffered financial losses from customer churn following a successful phishing attack
  • 40% of incidents resulted in employees exiting the organisation
  • 85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email
  • The top three types of phishing attacks that organisations fell victim to: 
    • Phishing involving malicious URL or malware attachment
    • Social engineering
    • Supply chain compromise

Risky behaviour and mistakes lead to costly data loss 

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

  • 91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:
    • Reckless or risky employee behaviour, such as transferring data to personal accounts for remote work
    • Human error, including employees emailing confidential information to incorrect recipients
    • Malicious or self-serving data exfiltration, such as taking data to a new job
  • 49% suffered financial losses from customer churn following a data loss incident
  • 48% of incidents resulted in employees exiting the organisation

Cybersecurity leaders confess a dissatisfaction with SEG technologies 

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

  • 58% – It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment
  • 53% – Too many phishing emails end up in employees’ inboxes
  • 50% – It takes a lot of administrative time to manage

Is traditional security awareness and training (SA&T) effective at changing behaviour? 

While 98% of the surveyed organisations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

  • 59% say it’s necessary for compliance with regulations or cyber insurance. 
  • 46% say employees skip through it as fast as possible
  • 37% admit they are not confident people remember what they’re taught
  • 29% say employees find training annoying

How to defend against inbound and outbound email security threats 

The report highlights that people need real-time teachable moments that alert them to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur. 

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organisations remain highly vulnerable to phishing attacks, human error and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defence-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behaviour-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behaviour that lead to data loss and data exfiltration within Microsoft 365. 

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive