Your company email is probably not as secure as you think it is according to a report and infographic released today by Mimecast, an email security company. The Mimecast report combines the results of an Email Security Risk Assessment (ESRA) based on more than 26 million company emails with a survey on corporate cybersecurity carried out in partnership with Vanson Bourne. The results are troubling.
How does Mimecast perform an ESRA?
Company email typically passes through an email security system which may be located either on site or in the cloud. Email that passes this initial security check is routed to the company’s email management system which delivers it to the recipients. To carry out an ESRA, a BCC of every email that passes the initial check is sent to Mimecast’s cloud-based servers where it is reinspected for spam and malicious content.
The ESRA results: Spam
The Mimecast report is based on more than 26 million (26,124,789) emails received by 23,744 users over a 153-day period. Mimecast found almost 3.5 million (3,456,230) problem emails that should not have passed the initial security check. In other words, 13.2% of the emails that got through security should have been caught.
The vast majority (99.7%) of the problem emails were spam. The good news is that spam is generally not dangerous. The bad news is that sometimes spam is dangerous, and even when it’s not, dealing with spam that gets past the recipient’s spam filter can be a time sink.
The ESRA results: Direct threats
The remaining 0.3% of emails that should have been flagged by email security systems contained threatening content. Dangerous file types (files with the extension .jsp, .exe, and .src, for example) were found in 6,681 emails. Not all files with dangerous extensions carry malware payloads or exploit kits but many of them do. All of them should have been flagged at the initial security check.
Malware was found in 1,628 emails. Of these, 1,207 emails contained known malware that had been previously seen in the wild and 421 emails contained new forms of malware. The new malware is particularly dangerous because there is a good chance that malware-detection software on the recipient’s computer will not identify it and the attack will succeed. If the recipient’s anti-malware software is up-to-date, it should detect and disable the known malware. However, known malware should have never gotten through company email security systems in the first place.
Finally, the ESRA found 1,697 impersonation emails. Impersonation is similar to spear phishing in that it’s a social engineering technique that uses an email that appears to be sent from a legitimate source. Impersonation typically invites the recipient to share sensitive information while spear phishing invites clicks on links to malware infected websites.
Defense against social engineering largely depends on the recipient’s ability to recognize it for what it is. Recipients who are not technologically sophisticated – and this group tends to include a significant proportion of upper management who have access to valuable information – are more likely to be vulnerable to social engineering tactics.
The cost of poor email security
Mimecast’s ESRA found that only 0.3% of the email that passed a company’s email security system was dangerous. Some may think this is a sign that email security failures are not a big problem. However, it should be kept in mind that the cost of an undetected security threat can be high. Peter Bauer, Mimecast’s CEO, spoke to this issue in an email he sent me.
The sheer amount of spam, malicious attachments and various types of attacks that are breaking through many commonly used email security systems is alarming to say the least. And, the amount of time, effort and money it takes organizations to clean up infections is no small matter.”
The Mimecast infographic includes estimated costs for different types of security failures. One of those costs is time. Mimecast estimates that, on average, it takes IT staff three hours to clean a recipient’s computer of a malware infection. This estimate does not include downtime for the recipient or time it may take to clear the malware from company servers.
Security failures cost money. In June, 2016 the FBI reported the average exposed dollar loss for a successful impersonation attack is $139,000. In a report issued in January, 2016, Vanson Bourne estimated that the average cost of a successful phishing attack is $1.8 million. The 2016 Ponemon Cost of Data Breach Study: Global Analysis sponsored by IBM estimated that the average cost of a data breach is $4 million or $158 for every record stolen.
Security failures also carry a reputation cost. It can be very difficult to regain the trust that is lost when a security breach is made public.
Reliable cybersecurity is a matter of defense-in-depth and a company’s email security system is its first line of defense. The Mimecast ESRA shows that, far too often, this line isn’t strong enough to stop the sophisticated attacks launched by today’s cybercriminals. As Bauer told me in an email,
Organizations think they have protection in place, but what they really have is a pollution filter that keeps out spam and viruses, not something that is capable of reliably keeping out determined adversaries. ERSA is available to help organizations diagnose the extent to which they are exposed and figure out what to do about it.”