Email Security risk report

Phishing emails continue to be a major threat to organizations with almost 100% of cybersecurity leaders saying that inbound and outbound email security incidents are causing them the greatest stress according to the latest Email Security Risk Report 2023 from cybersecurity experts, Egress (www.egress.com).

The report’s findings demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss.  Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security.  Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  
 
“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” says Jack Chapman, Vice President of Threat Intelligence, Egress.  “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead.  They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”
 
The Email Security Risk Report 2023 report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security.  Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature.  The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.
 
Customer and employee churn were top of the list of negative impacts following an inbound email security incident with 86% of surveyed organizations saying they were negatively impacted by phishing emails, whilst 54% of organizations admit to suffering financial losses from customer churn following a successful phishing attack, with a further 85% of cybersecurity leaders revealing that a successful account takeover (ATO) attack started with a phishing email.

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found.  Over 90%of the cybersecurity leaders say data has been leaked externally by email, with the three top causes for these incidents being: reckless or risky employee behavior, such as transferring data to personal accounts for remote work; human error, including employees emailing confidential information to incorrect recipients; and malicious or self-serving data exfiltration, such as taking data to a new job.  Additionally, the report reveals that 49% of organizations had suffered financial losses from customer churn following a data loss incident, and further 48% of incidents had resulted in employees exiting the organization.

Cybersecurity leaders report being dissatisfied with many of the traditional SEG technologies, with 53% saying that too many phishing emails are ending up in employees’ inboxes, and 58% say that their organization’s SEG isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.  

Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration.  Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach.  New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

The full Egress Email Security Risk Report 2023: Inbound and outbound email security threats in Microsoft 365 can be found at https://pages.egress.com/Whitepaper-Risks-in-M365-03-23_2023-Landing-Page.html#download.