The vast majority (82 percent) of users open email attachments if they appear to be from a known contact, despite the prevalence of well-known sophisticated social engineering attacks, according to Glasswall. Of these respondents, 44 percent open these email attachments consistently every time they receive one, leaving organizations vulnerable to data breaches sourced to malicious attachments.
Altogether, the survey examined 1,000 office workers in medium and large-scale businesses across the U.S. to determine their email security awareness, particularly regarding known and unknown attachments, and related behaviors around best practices. Among other things, the research demonstrated how lax approaches to popular threat vectors such as email attachments, inadequate threat-awareness, poor work-practices and out-of-date technology, are exposing organizations to hacking, ransomware and zero-day attacks.
“Employees need to trust their emails to get on with their work, but with 94 percent of targeted cyber-attacks now beginning with malicious code hidden in an email attachment, the security of major businesses should no longer be the responsibility of individual office-workers,” said Greg Sim, CEO of Glasswall. “Conventional antivirus and sandboxing solutions are no longer effective and relying on the vigilance of employees clearly leaves a business open to devastating cyber-attacks that will siphon off precious data or hold the business to ransom.”
Implicit trust in both familiar and unknown emails
A large majority of workers could at least identify characteristics of a phishing attack, with 76 percent acknowledging that they had received suspicious attachments. However, the survey also found that 58 percent of respondents usually opened email attachments from unknown senders, while 62 percent didn’t check email attachments from unknown sources, leaving businesses open to breaches from documents carrying malicious exploits hidden inside common file-types such as Word, Excel, PDFs and more.
“This research confirms anecdotal evidence that, although security awareness campaigns have their place, all too often they fail to equip workers with effective strategies for protecting data and systems,” said professor Andrew Martin at the University of Oxford. “Technology that’s fit for purpose reduces risks without placing added burdens on those simply trying to do their jobs.”
This implicit trust in both familiar and unknown emails stands in direct contrast to the scale of threats delivered via email. Despite thousands of attacks launched every year against businesses, only 33 percent of respondents maintained that they had been victim of a cyber-attack. And almost a quarter (24 percent) said they did not know if they had been attacked or not.
Other key findings
- 55 percent said they sent or received at least 11 documents via email every working day, meaning there are 2,585 potentially malicious files in circulation from a single employee each year.
- One in five said the business they work for has no policy on how to handle email attachments, or they have not been made aware of it.
- 5.5 percent thought “other” types of attachments were suspicious, which included various types prize-winning links or emails with multiple addressees.
- 15 percent said they always or usually trust email attachments sent by people they have never heard of.
- Only two people named Word documents as being suspicious and only two said they regarded “spreadsheets” as a potential threat, despite the continuing prevalence of these file-types in the perpetration of successful cyber-attacks.
- 58 percent said they would feel safer from cybercrime if their employer had the right technology to protect them.