IT security professionals are "more confident" in their email security systems than they were last year, according to newly published research from Barracuda Networks. But is that confidence misplaced?
The "2019 Email Security Trends" special report is based upon a study of 660 IT security professionals globally. However, 20 percent of the responses were from the EMEA region, and it is those findings that SC Media UK is going to focus upon.
Some 52 percent of those asked were confident that their company systems and data was more secure than when compared to 2018, with 42 percent thinking things were much the same. Yet at the same time, when it came to email attacks specifically, 23 percent of those EMEA respondents admitted they had never had any email threat training and only 39 percent (compared to 48 percent globally) had increased spending on email security.
So is that confidence in email security systems misplaced somewhat?
Certainly, given that EMEA IT teams were found to be on the receiving end of more suspicious emails than the global average, and it being the region identified as most likely to fall victim to a spear-phishing attack (48 percent had been a victim in the past twelve months) there is an argument to be made that this is the case. Indeed, the research also suggests that the reputational impact of these spear-phishing attacks is greater in the region (39 percent reported reputational damage) compared to globally (27 percent) .
One of the findings that is, perhaps, rather pertinent to this debate is that while less than 10 percent of emails reported as being suspicious turned out to be fraudulent in some way, some 81 percent admitted that IT teams were taking more than 30 minutes to investigate and remediate each reported attack, and 47 percent spent more than an hour.
"The long-term existence of email threats reveal how effective they can be in infiltrating enterprise networks," Iván Blesa, director of technology at Noble, told SC Media UK. "Successful attacks often don’t have any obvious malicious markers, resulting in persistent attacks that can go unnoticed up to years after intrusion."
Peter Draper, EMEA technical dDirector at Gurucul, agreed that the email attack vector is "very high on the list in terms of the wider threat landscape," adding that "user security awareness lags behind consistently and will be exploited as long as that is the case."
Indeed, it's the layers of protection complexity, including user awareness training, that make the email attack vector so problematical for the average enterprise. "These layers of security controls start with the email operator and move through the technology life cycle all the way to back end email storage whether virtual or physical." Matt Radolec, head of security architecture and Incident Response at Varonis, told SC Media UK.
Recent research from Sophos, concluded that of those enterprises which had been attacked and could figure out the attack starting point, 33 percent were attributed to email with the web (30 percent), vulnerabilities (23 percent) and USB or other devices (14 percent) bringing up the rear.
"People will continue to unwittingly introduce threats by clicking on infected URLs or attachments in convincing phishing emails, especially if it’s spoofed," Fraser Kyne, EMEA CTO at Bromium, says, "businesses simply can’t continue to put the onus of security on users and expect them to spot these phishing emails."
So what should the enterprise be doing to defend against email threats? "The biggest mistake that enterprise businesses are making with email security is appearing to ignore it altogether," warns Martin Lee, outreach manager at Cisco Talos. According to Lee, recent Cisco research found the number of businesses using email security as part of their overall security strategy is decreasing, only 41 percent of those asked could confirm having this type of security in place, that's down from 56 percent five years ago.
"One reason for this could be that as businesses move their email provision to the cloud," Lee says "they are assuming that the basic, default security protections offered by cloud email services are adequate to protect businesses against the specific threats that they face." Yet, email remains the number one vector for the distribution of malware and phishing attacks regardless.
"Instead of focusing on preventing threats, enterprises should assume that attacks will be successful, and put in place controls to mitigate their impact," Iván Blesa insists, concluding "closing the gap between an intrusion and its detection should become a main objective for enterprises..."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout