The finding has been reported by email security and archiving company Mimecast, in its new global research study: Mimecast Business Email Threat Report 2016, Email Security Uncovered. The survey of 600 IT security professionals, shows that while 64 percent regard email as a major cyber-security threat to their business (71 percent in South Africa), 65 percent (41) don’t feel fully equipped or up to date to reasonably defend against email-based attacks.
Email continues to be a critical technology in business and the threat of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining a company’s perceived level of preparedness against these threats and targeted email attacks.
Of the 600 surveyed, just 35 percent (59 percent in South Africa) feel confident about their level of preparedness against data breaches. Of the 65 percent (41) who don’t feel fully prepared against future potential attacks, nearly half (49%) experienced such attacks in the past, indicating that they don’t feel any more protected following an attack than they did prior.
This is also reflected in the few steps taken toward widespread email security. Although 83 percent (75 percent in South Africa) of all respondents highlight email as a common attack vector, one out of ten report not having any kind of email security training in place. Among the least-confident respondents, 23 percent attest to lacking any supplementary security measures.
“Our cyber-security is under attack and we depend on technology, and email in particular, in all aspects of business. So it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend themselves against email-based threats in particular,” said Brandon Bekker, managing director, Mimecast South Africa. “As the cyber threat becomes more grave, email attacks will only become more common and more damaging. It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action. Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”
Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security. However, of all IT security managers who were polled, only 15 percent (17 percent in South Africa) say their C-suite is extremely engaged in email security, while 44 percent (28) say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.
Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security. These IT security managers allocate 50 percent higher budgets to email security compared to managers who were less confident in their readiness. From these findings, the data points to allotting 10.4 percent of the total IT budget toward email security as the ideal intersection between email security confidence and spend.
Mimecast found that five distinct “personas” emerged among the respondents, and characterized them into a Cyber-Security Shiver Grid based on their levels of email security and perceptions of data breach confidence: the Vigilant (16 percent), Equipped Veterans (19 percent), Apprehensive (31 percent), Nervous (6 percent) and Battle-Scarred (28 percent). Altogether, a majority of the IT security managers – totaling 65 percent, comprising the apprehensive, nervous and battle-scarred respondents – feel unprepared to manage email-based attacks.
Other key findings of the survey include:
- The top 20 percent of organizations that feel most secure are 250 percent more likely to see email as their biggest vulnerability.
- Confident IT security managers are 2.7x more likely to have a C-suite that is extremely or very engaged in email security. They are also 1.6x more likely to see C-suite involvement in email security as extremely or very appropriate.
- The least confident IT security managers are more likely to be using Microsoft’s Exchange Mail Server 2010, which ended mainstream support in January 2015. The most confident managers are more likely to use the up-to-date Exchange Server 2013.
- 70 percent of IT professionals that have recently and directly experienced an email hack employ internal safeguards, such as data leak prevention or targeted threat protection.
- Apprehensive IT security professionals are more likely to be found in smaller (fewer than 500 employees) firms than larger ones (32 percent to 18 percent, respectively).
- Less than half (48 percent) of IT security managers in smaller firms feel confident and well-prepared for tackling email security threats, compared to larger companies.