The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.
“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”
“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”
Email Security Risks Report 2023: Key findings
The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.
Organizations continue to fall victim to phishing attacks
Customer and employee churn were top of the list of negative impacts following an inbound email security incident.
• 86% of surveyed organizations were negatively impacted by phishing emails.
• 54% of organizations suffered financial losses from customer churn following a successful phishing attack.
• 40% of incidents resulted in employees exiting the organization.
• 85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email.
• The top three types of phishing attacks that organizations fell victim to:
o Phishing involving malicious URL or malware attachment.
o Social engineering.
o Supply chain compromise.
Risky behavior and mistakes lead to costly data loss
People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:
• 91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:
o Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
o Human error, including employees emailing confidential information to incorrect recipients.
o Malicious or self-serving data exfiltration, such as taking data to a new job.
• 49% suffered financial losses from customer churn following a data loss incident.
• 48% of incidents resulted in employees exiting the organization.
Cybersecurity leaders confess a dissatisfaction with SEG technologies
The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:
• 58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
• 53% - Too many phishing emails end up in employees’ inboxes.
• 50% - It takes a lot of administrative time to manage.
Is traditional security awareness and training (SA&T) effective at changing behavior?
While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:
• 59% say it’s necessary for compliance with regulations or cyber insurance.
• 46% say employees skip through it as fast as possible.
• 37% admit they are not confident people remember what they’re taught.
• 29% say employees find training annoying.
How to defend against inbound and outbound email security threats
The report highlights that people need real-time teachable moments that alert them to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.
Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.