Employees Overestimate Efficacy Of Workplace Email Security

New research from GreatHorn finds that 22% of businesses have experienced a breach in the past quarter due to an email-based attack.

Nearly a quarter (22 percent) of businesses have experienced a data breach — defined as loss of confidential data or credentials, compromised account loss, or fraudulent financial transactions — due to an email-based attack in the past three months. This is among the findings of the newly-released “2019 Email Security Benchmark Survey report” from GreatHorn. The company surveyed 1,021 email security and white-collar professionals from March to June 2019 to gain a better understanding of the current state of enterprise email security, threat prevalence, remediation frequency, and attitudes on email attacks based on job role, company size, and other factors.

Email Security
Click image to enlarge.

Compared to last year’s “2018 Email Security: Trends, Challenges, and Benchmarks,” which identified a perception gap between email security and regular white-collar professionals, GreatHorn’s new data shows that gap still exists as employees with limited or no involvement in email security are three times more likely to say the only email-based attacks they receive in their inbox is spam. This is a major factor why simulated phishing click-rates dropped only 1% from 2017 to 2018, despite businesses investing millions in security awareness training programs and other technologies.

“Our latest research shows that employees — particularly non-technical professionals — overestimate the efficacy of their workplace’s email security strategy,” said GreatHorn CEO Kevin O’Brien. “There is an alarming sense of complacency at enterprises at the same time that cybercriminals have increased the volume and sophistication of their email attacks. Businesses must protect themselves at every point of the email lifecycle, including post-delivery, to adequately protect themselves from modern spear phishing and social engineering attempts.”

GreatHorn found that 24.4% of survey respondents indicated that malicious email messages, including impersonations, wire transfer requests, W2 requests, payload attacks/malware, business services spoofing, and credential theft attempts, reach their inbox every day, with an additional 25.4% that report seeing attacks at least weekly.

When separated into two groups, email security and white-collar professionals, GreatHorn found a stark contrast in the frequency of malicious email threats reported. About one-third (32.8%) of security experts report seeing threats every day, and an additional 27% report weekly, for a total of 59.8% seeing threats at least weekly. This marked difference in perception speaks to the training and awareness gap that was first highlighted in last year’s report.

“Just Spam” Or Something More Malicious?

Data from GreatHorn’s research shows that nearly half (48.5%) of white-collar professionals report seeing only spam in their inboxes, while only 16.4% of email security professionals said the same. This indicates a larger nomenclature problem that causes two-thirds of white-collar professionals to mischaracterize sophisticated email threats as “just spam.” This conflation of spam mail and dangerous email threats has bad implications for enterprises as employees underestimate the dangers associated with malicious emails, putting themselves and the business at risk.

When asked, “Which of the following are problems for you despite your current email security solution?,” 79.4% of all respondents indicated fundamental issues with their solution.

Areas where security professionals said their systems were vulnerable include:

  • 34.2% report “challenges with remediation”
  • 26.6% report their current solution, “Doesn’t stop internal threats (e.g. if a user account is compromised)”
  • 21.2% report “Missing payload-free attacks (e.g. impersonations, social engineering, etc.)”
  • 19.8% express concern that their solution “Negatively impacts business operations (e.g. too many false positives)”
  • 18.9% report “Missing payload attacks (e.g. malicious attachments and/or links)”

Over a third (34.3%) of security professionals felt this situation, in which glaring email security vulnerabilities were both present and exposing the company to risk, was “good enough.” More senior roles (i.e. technical decision makers, budget owners, and CISOs) were much more likely to be either “dissatisfied” or “very dissatisfied” with their email security solution.

These responses demonstrate the industry’s view that email-based attacks are unavoidable and unstoppable. Enterprises must assume that some amount of malicious mail will bypass any email security strategy and fortify their security posture by implementing technologies that can intelligently identify, alert on, and disarm attacks that reach corporate inboxes.