Email security still an afterthought

Email continues to be a critical technology in business and the threat of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining a company’s perceived level of preparedness against these threats and targeted email attacks.

While 64 percent regard email as a major cyber security threat to their business, 65 percent don’t feel fully equipped or up to date to reasonably defend against email-based attacks, according to a Mimecast survey of 600 IT security professionals. One-third of respondents also believe their email is more vulnerable today than it was five years ago.

Of the 65 percent who don’t feel fully prepared against future potential attacks, nearly half experienced such attacks in the past, indicating that they don’t feel any more protected following an attack than they did prior.

Although 83 percent of all respondents highlight email as a common attack vector, one out of ten report not having any kind of email security training in place. Among the least-confident respondents, 23 percent attest to lacking any supplementary security measures.

Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security. However, of all IT security managers who were polled, only 15 percent say their C-suite is extremely engaged in email security, while 44 percent say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security. These IT security managers allocate 50 percent higher budgets to email security compared to managers who were less confident in their readiness. From these findings, the data points to allotting 10.4 percent of the total IT budget toward email security as the ideal intersection between email security confidence and spend.

Other key findings include:

• The top 20 percent of organizations that feel most secure are 250 percent more likely to see email as their biggest vulnerability.
• Confident IT security managers are 2.7x more likely to have a C-suite that is extremely or very engaged in email security. They are also 1.6x more likely to see C-suite involvement in email security as extremely or very appropriate.
• The least confident IT security managers are more likely to be using Microsoft’s Exchange Mail Server 2010, which ended mainstream support in January 2015. The most confident managers are more likely to use the up-to-date Exchange Server 2013.
• 70 percent of IT professionals that have recently and directly experienced an email hack employ internal safeguards, such as data leak prevention or targeted threat protection.
• Apprehensive IT security professionals are more likely to be found in smaller (fewer than 500 employees) firms than larger ones (32 percent to 18 percent, respectively).
• Less than half (48 percent) of IT security managers in smaller firms feel confident and well-prepared for tackling email security threats, compared to larger companies.