Businessman touching display with icon for email security

Email Security Nightmare as 75% Of CISOs Expect a Severe Email-Borne Attack in the Next 12 Months

Three-quarters of organizations anticipate a severe email-borne cyber attack within the next year, Mimecast’s The State of Email Security 2023 report found.

According to the study, email usage increased annually, with 82% of organizations reporting increased utilization in the last twelve months. However, as email usage increased, so have email-borne threats, as reported by nearly three out of four (74%) IT security leaders.

While the rising volume of email-based threats was equally worrying, their increasing sophistication was the biggest concern for 59% of the respondents.

Three-quarters of CISOs expect a severe email security incident within 12 months

Mimecast found that 76% of the respondents anticipate severe consequences from an email-borne attack in the next twelve months. The report identified phishing, ransomware, and spoofing as the most common types of email-borne security threats.

Over eight out of ten (84%) IT security leaders interviewed said they witnessed an increase in one of these attacks within the last 12 months, with phishing being the most prevalent. More than half (59%) of the respondents said their organizations witnessed more phishing attacks last year than in previous years, with large corporations (>10,000 employees) being the most affected (71%).

For email-based phishing, the attacker sends an unsolicited email called spam (also known as junk mail), impersonating a trusted source to trick the recipient into disclosing personal or financial information. The message may also contain a malicious link that prompts the victim to install spyware, a malware type with activity trackers, keystroke collection, and data capture capabilities.

Although both phishing and spear-phishing use email, the latter is a highly targeted phishing attack where the cyber criminal researches the target before sending a message customized for a specific person.

Apart from phishing, email spoofing was rampant, with more than nine out of ten (91%) respondents saying they knew of attempts to spoof their email domains. According to the report, over half (54%) of all domain spoofing attempts targeted government agencies and public institutions.

Sadly, most organizations were not ready to address domain spoofing, with less than a third (29%) prepared to address the illegal use of their domains. And while 88% of organizations intend to use Domain-based Message Authentication, Reporting, and Conformance (DMARC) to stop email domain spoofing, only 27% have deployed it.

Negligent employees are propagating email-borne threats

Employee negligence is a significant email security risk factor, with 80% of organizations reporting an email-based attack that spread from one user to another. This figure was the highest on record for all but one out of seven previous email security surveys.

Subsequently, 8 out of 10 respondents believe that inadvertent data leaks by careless or negligent employees posed a security risk to their companies.

Are collaboration tools expanding the attack surface?

Mimecast’s State of Email Security report also found that more organizations were embracing workspace collaboration tools such as Microsoft Teams, Google Workspace, and Slack. However, IT security leaders were concerned about collaboration tools opening the new attack surfaces, with 67% struggling to keep up with the number of tools deployed.

Additionally, the report found that 75% of respondents believe collaboration tools posed a new and significant security risk, with 72% anticipating being impacted by a collaboration tool-borne attack in the next 12 months.

“But while email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate,” the report stated.

Interestingly, the report suggested that most IT security leaders were dissatisfied with security measures provided by collaboration tool suites such as Microsoft 365 and Google Workspace. And 94% of the respondents demanded stronger protections from vendors such as Google and Microsoft.

Lack of commitment from the C-suite, but the tide is slowly turning

The report found that C-suite executives have become more aware of cyber threats and are willing to confront them. However, underfunding remains a challenge, with corporate boards prioritizing other issues, such as recession, at the expense of cybersecurity.

According to two-thirds (66%) of IT security leaders, the cybersecurity budget was less than it should be, roughly the same as last year. Nevertheless, the deficit was slightly modest at 8%, with nearly all (98%) respondents having deployed, currently deploying, or planning to deploy systems to monitor and stop email-based attacks.

Security teams are also expanding, with all organizations with 250 to 500 employees having at least one dedicated security professional. Additionally, nearly half (48%) had 6-10 dedicated security workers, while over a third (34%) had 11-30 full-time security employees.

Leveraging next-gen technologies to address email security

While underfunding remains a pertinent issue, CISOs were leveraging next-gen technologies to level the playing field, with 92% using or planning to use AI/ML technologies for cybersecurity.

Nearly half (49%) said using artificial intelligence (AI) and machine learning (ML) helped address the volume and complexity of cyberattacks. Roughly half of the respondents also said AI/ML solutions improved the accuracy in threat detection (50%), ability to block threats (48%), and speed of remediation (49%). Additionally, 81% said AI provides real-time, contextual warnings to email and collaboration tool users.