Corporate cybersecurity has not kept up with either perceived security threats or damage resulting from security failures according to a report released today by Mimecast, an email security company. The Mimecast report combines the results of their Email Security Risk Assessment (ESRA) with a survey on corporate cybersecurity carried out in partnership with Vanson Bourne. The 800 C-level executives and IT decision makers that participated in the survey indicated their organizations’ cybersecurity efforts do not meet their security needs.
Cyber damage and cyber defense
The majority of respondents in the Mimecast/Vanson Bourne survey stated that their organizations had suffered cybersecurity failures during the preceding year. Seventy percent experienced malicious attacks that spread from one infected user to others within the organization. Half of those attacks were delivered through email attachments.
Seventy-two percent of the respondents said their organization experienced external exposure of sensitive data. Sixty-nine percent stated that sensitive data was emailed to the wrong person by accident. Thirty-five percent reported that these emails were sent by C-level executives and 25% reported employees were responsible for the mistake.
Fifty-eight percent of respondents believed that untargeted phishing attacks had increased over the preceding three months; 53% thought the same was true for spear phishing attacks. When you combine those percentages with the 70% of respondents that reported malicious attacks, it’s surprising that only 54% thought it’s likely or extremely likely that their organization will be hurt by cybercriminal activity in 2017.
Respondents indicated their organizations are generally not prepared to handle either the attacks they have experienced or the threats they see on the horizon. Only 30% of the respondents thought their organization had a complete cybersecurity defense in place. Another 53% said their organization was in the process of implementing such a defense and 15% were talking about it.
Email impersonation fraud
Email impersonation is a social engineering tactic in which an email that fraudulently appears to be from a legitimate source attempts to extract sensitive information from the recipient. The Mimecast ESRA uncovered 1,697 fraudulent email impersonations.
Seventy-six percent of respondents said their organization has security technology in place that is designed to prevent email impersonation fraud. Apparently that technology is not very good because 64% of respondents said their organization suffered losses due to email impersonation over the preceding 12 months. Of those, 34% suffered a data loss, 27% a financial loss, and 30% a loss of reputation. Respondents thought email impersonations requesting confidential data (51% of respondents) or wire transfers (53%) had increased over the preceding three months.
In general, respondents were not confident that management was up to the task of protecting against email impersonation. Forty-eight percent stated they thought their organization’s management team did not know enough about CEO impersonation to protect against it. Forty-one percent believe their CEO undervalues email security and 39% are not confident their CEO knows enough to protect him or herself from an impersonation attack.
Credit: Wikimedia Commons
In their recent State of Malware report, Malwarebytes noted that payloads that deliver ransomware increased from 18% to 66% between January and December 2016. Ninety-eight percent of respondents in the Mimecast/Vanson Bourne survey said that they have concerns about ransomware attacks on their organization.
As well they should. Sixty-one percent of respondents said their organization experienced a ransomware attack in 2016. Forty percent reported that the attack encrypted all or most of their data and 53% paid the ransom.
Email was believed to be the most likely threat vector for ransomware. Email with malicious attachments (64% of respondents) or malicious links (53%) were thought to be the most likely sources for ransomware attacks. Browsing websites with malicious content was thought to be a source by 55% of respondents.
Respondents reported that on average it took a bit more than four days to recover all their data from backups after a ransomware attack. Ninety-eight percent reported that their organization has backups. That’s a very high percentage but you have to wonder about the remaining 2% of organizations that do not back up their data.
As was the case for both impersonation fraud and cyberattacks in general, the proportion of respodents who said their organization is investing in protection is less than those who either express concern for the future or have suffered losses in the past. Fifty-nine percent of respondents said their organization has invested in technology to protect against ransomware and 50% have invested specifically in email defenses.
The Mimecast/Vanson Bourne survey paints a clear picture. In defiance of both their past experience and future expectations, organizations are less than adequately prepared to handle cybersecurity threats. Email is, and is perceived to be, a primary threat vector and yet many organizations do not have sufficient email protection. Peter Bauer, Mimecast’s CEO, put it this way in an email he sent me,
Organizations think they have protection in place, but what they really have is a pollution filter that keeps out spam and viruses, not something that is capable of reliably keeping out determined adversaries. ERSA is available to help organizations diagnose the extent to which they are exposed and figure out what to do about it.”