Organizations need to switch gears in their approach to email security

Email security risks remain high with 94% of organizations experiencing incidents in the past 12 months, according to Egress.

Inbound email incidents primarily took the form of malicious URLs, attacks sent from a compromised account, and malware or ransomware attachments.

Looking towards outbound email incidents, 91% of organizations experienced data loss and exfiltration due to reckless behavior to ‘get the job done’, human error or malicious exfiltration amongst other contributing factors.

The severe impact of email security incidents

The impact of an email security incident can be severe for employees and their organizations. 96% of surveyed organizations experienced negative impacts from phishing attacks, which is a jump of 10% versus last year’s report (when the number sat at 86%).

Findings from the report show that leaders are taking a tough stance with employees caught by phishing attacks with negative outcomes for the people involved happening in 74% of companies. In particular, the report revealed the way organizations responded, with:

• 51% of employees caught in phishing attacks disciplined
• 39% of employees caught in phishing attacks fired
• 27% of employees caught in phishing attacks voluntarily leaving their roles

Looking at outbound threats, a similar picture is seen with 94% of the surveyed organizations reported being adversely affected, which is an increase of 8% from last year’s report. In outbound email incidents, 67% of people were disciplined, let go, or chose to leave the organization. Employees being disciplined was the most common outcome, seen in 51% of organizations.

It is evident from the report’s data that email security incidents continue to have far-reaching impacts for organizations, with financial loss from customer churn and reputational damage topping the organizational costs in both inbound and outbound incidents. Organizations should provide the right technology to their teams to detect advanced threats and SAT programs that genuinely increases their understanding of real threats going forwards.

AI is a growing concern for cyber risk

AI continues to be one of the industry’s biggest talking points, and our cybersecurity leaders are savvy to the effect new tools, large language models, and generative AI could have on phishing attacks. 63% are being kept awake at night by deepfakes, and 61% by AI chatbots being utilized to create efficient phishing campaigns. This trend is expected to continue into 2024 and beyond, with organizations being encouraged to continuously review their defences.

Microsoft credentials are synonymous with being ‘the keys to the kingdom’, giving cybercriminals the power to move laterally across systems and networks to exfiltrate data and access email accounts to target customers and suppliers with further attacks.

Findings from the report show that account takeover attacks (ATOs) are a significant concern for cybersecurity leaders as 58% of organizations experienced account takeover incidents. Of these: 79% began with a phishing email harvesting an employee’s credentials, and 83% saw MFA bypassed before proceeding with the account takeover.

Additionally, 51% of organizations fell victim to phishing attacks sent from compromised accounts within their supply chain in the last 12 months. Utilizing a trusted domain helps enable attacks to get through traditional perimeter defenses and people are less suspicious of emails sent from addresses they recognize. Cybersecurity leaders are well-aware of their vulnerability, with supply chain compromise and ATO their top sources of stress.

Email security risks remain a top concern for organizations

Many of the email security features Microsoft 365 offers overlap with the functionality available in SEGs (Secure Email Gateway), leaving organization to question their tech stack. Of those who use a SEG, 91% expressed frustration with it, and 87% are considering replacing their SEG or have already done so. As organizations adopt native controls in favor of SEGs, they are still left vulnerable to the advanced phishing attacks that can bypass signature-based and reputation-based detection, as well as employees’ behaviors that lead to outbound incidents, such as human error.

Combining Microsoft’s controls and integrated cloud email security (ICES) solutions covers the full spectrum of inbound and outbound email security incidents, so it’s little surprise that a large portion of organizations are weighing up their options.

According to the findings from the report, email security risks remain a top concern for organizations with 94% having experienced security incidents over the past year. Despite this, according to the majority of respondents, training is provided only to meet compliance requirements with 88% acknowledging that they are doing SAT for compliance purposes.

Cybersecurity leaders express doubts on traditional training efficacy

If training is engaging, in bite-size modules and relevant to the employee’s tasks, it should be an enriching activity with real-time teachable moments throughout their workday, but cybersecurity leaders are currently worried that employees skip through training as quickly as possible and that they find training annoying.

With this in mind, it is no wonder that 91% of cybersecurity leaders have doubts about the effectiveness of traditional training, and making the training tailored to teams or individuals isn’t being offered commonly.

Only 19% of organizations deliver SAT that reflects on the department or team that employees work in, and just 9% of organizations tailor training to the individual employee.

The ramifications of this are significant for both employees and their organizations as quality learning can turn a company’s biggest risk into one of their strongest defences – their people.

“Organizations continue to face vulnerabilities when it comes to advanced phishing attacks, human error, and data exfiltration, and analyzing emerging trends will be key to bolstering defenses,” said Jack Chapman, VP of Threat Intelligence at Egress.

“The report also highlights how cybersecurity leaders know that they’re vulnerable when it comes to phishing attacks. 58% of organizations have experienced account takeover incidents in the last 12 months, and 79% of these started with a phishing email that harvested an employee’s credentials, so it’s no wonder that phishing attacks and compromised accounts are causing concern for our Cybersecurity leaders.

“The use of AI by cybercriminals is also at the front of our leaders’ minds, and rightly so. While it’s currently impossible to actually prove chatbots are being used to create phishing attacks, cybercriminals generally take every advantage they can get. Organizations can’t afford to be left behind but must ensure their defenses keep pace with cybercriminals’ methodology and the resulting attacks.

“The stats in this latest report are truly staggering; 94% of companies have experienced security incidents in the last 12 months, and 95% of cybersecurity leaders are stressed about email security. Organizations urgently need to adapt their approach, or risk finding themselves in the same position next year,” concluded Chapman.