Security vendor Mimecast has released its fourth annual State of Email Security report for 2020.
Many findings in the report point to an increase in the overall volume of email-based attacks in the past year; for example. 58% saw an increase in phishing attempts, and 85% of respondents said they think the amount of web and email spoofing they face will stay the same or increase in the coming year.
Other data points of particular note include the fact that 82% of respondents experienced downtime from an email-based attack, 77% believe weak passwords are a particular problem, and that 60% of organizations were hit by an attack that spread from one user to another.
The report is filled with data about email security, but for those looking for action items Mimecast has provided a list of 10 takeaways that point out particular risks and provide IT security decision makers with some avenues to focus on in the coming months.
SEE: Security Awareness and Training policy (TechRepublic Premium)
10 email security takeaways in Mimecast’s 2020 report
1. Leaders are beginning to appreciate the email risk for what it is: Constant
60% of respondents said they believe they’ll be hit by an email-based attack in the coming year, which Mimecast said shows “a broad understanding of the potential risk for emailborne attacks.”
2. Impersonation, phishing, and business email compromise (BEC) are all skyrocketing
74% reported an increase in phishing over the past year, and the global pandemic is making things even worse—Mimecast reports a 30% increase in impersonation fraud alone in the first 100 days of the pandemic lockdown.
It’s no surprise that there’s been a massive spike in email-based attacks during the COVID-19 pandemic, which finds many workers operating outside of the tightly controlled enterprise networks they usually rely on for security. “An increase in the variety and volume of attacks is inevitable given the desire of financially- and criminally-motivated actors to obtain personal and confidential information,” the report said.
3. Ransomware isn’t going away
Rates of ransomware infection have held steady in Mimecast’s reports from 2018, 2019, and 2020 at “more than half” saying they’d dealt with ransomware on their networks. On average, these attacks have led to three days of downtime.
4. Necessary training isn’t happening
Mimecast said that monthly security training is only happening at 21% of organizations, and only 17% are being given refreshers once a year. “If employees are expected to be “the human firewall” or “the last line of defense,” as they are often referred to, organizations need to invest in them as such,” the report said.
5. Email security will suffer without training
Mimecast offers email security awareness training, and its research found that users who did not receive it were five times more likely to click on malicious links. The clicks on those malicious links can be costly, the report concludes, because 60% of respondents said security incidents in their organizations were due to malware spread from one employee to another.
SEE: Network security policy (TechRepublic Premium)
6. Poor email security can damage your brand
Only 28% are using domain-based message authentication, reporting, and conformance (DMARC) validation, the report found. DMARC helps prevent spoofing, BEC, and protects customers by validating emails as being from legitimate senders.
7. Email security budget ownership is more important than you think
98% of organizations have a security budget dedicated to handling spoofing, exploitation, and impersonation, but management of that budget can be confusing. CIOs, CISOs, CFOs, and other C-suite executives have all been found to be in charge of those budgets, and poor allocation is directly tied to a delay in response time, the report found.
8. You’re right to worry about email security
On average, Mimecast said, an organization will know about nine web or email spoof attacks a year, and many more go undetected. Rising social media use, especially with people working from home due to COVID-19, gives bad actors more material to use in planning a BEC attack or phishing attempt: Attackers are increasingly using “pattern-of-life analysis to track social media sites, such as LinkedIn, to target individuals within organizations who may have access to executives and financial systems.”
9. Cyber resilience strategies are essential, but incomplete
77% of respondents state they have, or are actively rolling out, a resilience plan. Unfortunately, those plans still aren’t affecting as much change as they should be: 31% are still losing data, 31% are seeing a productivity drop, and 29% are having downtime incidents despite their resilience strategies.
10. Web-based email is a weak spot in resilience planning
The report found that Office 365 was the preferred email provider for most SMBs, but only 22% said its security is sufficient, and 59% experienced downtime preventing them from accessing their cloud-based email.
Vendor aside, the report said organizations need to weigh the benefits of whether cloud services are worth the loss of control that comes with not being able to host your own local email server: Resiliency decreases, and you can’t ultimately control the security of your cloud vendor’s systems.