Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

The Disconnect Between Understanding Email Threats and Preventing Them

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

The study (PDF) was conducted the Ponemon Institute for Valimail, an email security automation firm. Ponemon surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats. It found, according to Ponemon, a “disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study.”

Findings suggest that 80% of respondents are very concerned about their ability to counter the email threat, but only 29% are taking significant steps to counter the threat. The greatest concerns are that hackers might spoof their email domain “to hurt the deliverability of legitimate emails” (82%); the overall state of their current email security (80%); and that they could be hacked or infiltrated via a phishing email (69%).

The threat from email phishing, spoofing and impersonation attacks is understood and acknowledged. Seventy-four percent of respondents are concerned about phishing emails directed at employees or executives; 67% about email as a source of fraud against the company (such as BEC attacks); 66% about email as a vector for infiltrating malware and/or exfiltrating data; and 65% about hackers impersonating the company in phishing attacks against others — that is, other firms and non-employees.

The disconnect comes from the company response to the concerns held by their own professionals. Only 29% of the respondents believe their firm is taking significant steps to prevent phishing attacks and email impersonation, while 21% say they are taking ‘no steps’ — despite the DBIR’s evidence that email is the source of almost all data breaches.

Only 41% of the respondents say their organization has created a security infrastructure or plan for email — but of these, almost half say there is no schedule for reviewing its effectiveness (39%), or are unsure of any review schedule (10%). Only 11% of respondents said their organization reviews the effectiveness of its email security plan quarterly.

Part of the problem may be down to the traditional relationship between OT and IT. While email is firmly a part of information technology rather than operational technology, nevertheless it has an operational business function. As such, operational ease and continuity might be receiving a higher priority than security. This is possibly supported by managerial responsibility.

Asked, ‘Who within the organization is primarily responsible for the security of email and services/applications that use email?’, only 15% of the respondents said it was the CISO/CSO. Twenty-one percent said it was the CIO/CTO, 20% said the line of business management, 9% said the head of messaging services, and 9% said the head of IT Operations. Somewhat surprisingly, the majority of organizations do not have their head of security responsible for the security of emails.

Impersonation attacks are an acknowledged and growing email threat. The top five currently-used technologies to prevent these are anti-spam/phishing filters (63%), secure email gateways (53%), SIEMs (44%), DMARC (39%), and anti-phish training (30%). Use of all of these is expected to grow over the next 12 months: filters by 2%, SEGs by 10%, SIEMs by 3%, DMARC by 9%, and phish training by a colossal 27%.

These figures simply indicate that use of existing technologies that have currently failed to prevent the email start-point in 96% or all security breaches will be increased. This doesn’t mean, however, that the respondents have abandoned hope in their ability to improve things. Asked what effect a 20% increase in their email security budget would have, the reply was a 45% improvement in the detection rate with a 33% improvement in the prevention rate.

“With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail. 

“While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks. Companies can strengthen their security against email fraud with automated solutions and close that disconnect between email threats and preventive action,” he added

What surprises Ponemon, however, is the current lack of adoption of such automated solutions. “We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users.”

Related: State of Email Security: What Can Stop Email Threats? 

Related: Cisco Launches New Email Security Services 

Related: Symantec Launches Email Threat Isolation Solution 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...