Attacks on email continue to plague many organizations — a constant, daily struggle against criminal actors despite years of security investments, CRA Business Intelligence, a CyberRisk Alliance company, reveals in its new report: Attackers on High Ground As Organizations Struggle with Email Security.
CRA Business Intelligence polled 221 US-based security and IT leaders and executives, security administrators and compliance professionals during May 2022. The survey found that Microsoft and Google email systems are the most common targets. In fact, 83% of respondents experience at least one email attack daily. (Disclosure: CyberRisk Alliance also owns MSSP Alert)
Ransomware and Phishing Top Email Concerns
In addition to phishing emails designed to capture login credentials, email attacks can also contain payloads that include traditional viruses or application macros, such as those that run in Word or Excel, CRA Business Intelligence found.
Matt Alderman, executive vice president at CyberRisk Alliance, commented on the substantial rise in email attacks:
"Our research shows that both ransomware and phishing are the top concerns for email security. However, only email encryption and business email compromise (BEC) protection meet customer expectations. Security awareness and training is the largest gap and needs the most improvement."
MSSP and MSP Implications: The research is particularly timely for MSPs and MSSPs that offer security awareness training. Indeed, dozens of cloud and software companies now promote security awareness training tools to channel partners. Those partners, in turn, typically launch simulated phishing attacks against end-customers. The simulated attacks can help customers spot, avoid and report suspicious email and related activities to their IT departments and service providers.
Still, the CRA Business Intelligence research essentially shows that MSPs and MSSPs may need to shake up their training programs to keep them fresh, educational and effective.
On the flip side, the vast majority of Top 250 MSSPs offer encryption and BEC solutions to their end-customers, according to MSSP Alert's annual research.
Up to 25 Attacks Daily
Here are more key findings from the CRA Business Intelligence survey:
- One-third of respondents experience up to 25 attacks daily, and 51% reported up to 25 BEC attacks per day. Also, 21% said they didn’t know and couldn’t estimate the volume of daily BEC attacks.
- Security professionals are concerned about the tempo and sophistication of email attacks attacking organizations, as 51% said they are “very” or “extremely” concerned about email attacks in the next 12 months.
- The threat of a ransomware attack is a top email security concern for 65% of all respondents, followed by an increase in spoofing and phishing (60%).
- Recognizing the serious risks posed by email attacks, 68% reported their organization is likely to increase spending on email security in the next 12 months.
- The potential for serious data breaches is at the heart of their organizations’ email security strategies, according to 67% of respondents — followed by regulatory requirements (46%) and monetary losses due to business email compromise attacks (42%).
- Eighty-five percent of respondents said they use file/attachment scanning, followed by security awareness/training (80%) and email backup/archive (80%).
- Thirty-one percent of respondents plan to add social engineering to their email security strategy in the near future.
The research report also looks at organizations’ spending plans for email security over the next two years and provides a variety of tips to bolster security in the meantime. To learn more, download the full report.