Security executives more stressed – but more optimistic – about email threats

Email security attacks are damaging employee productivity, increasing downtime, and damaging the reputation of IT teams, according to a new study that also found APAC companies are nonetheless the world’s most optimistic about their overall security postures.

Fully 36 percent of the 660 respondents to the Barracuda Networks 2019 Email Security Trends report said email-borne attacks had caused downtime and business disruption within their company, while 20 percent cited significant recovery costs and 16 percent said the attacks had caused the loss of sensitive, confidential or business-critical data.

Those are significant consequences for incidents that can result from something as simple as a single accidental click by an employee.

Most respondents said they had been the target of email-based security threats over the past year, with 75 percent of APAC respondents and 85 percent of American respondents noting the attacks.

Fully 43 percent of respondents said spear-phishing attacks had caused machines to be infected with malware or viruses, while a third said malware had stolen log-in credentials or taken over accounts.

Job stress taking its toll

Those incidents – and the ongoing threat posed by spear-phishing attacks – had had a tremendous personal impact on security executives, with 44 percent of APAC respondents saying the stress of their job had increased over the past year.

Fully 45 percent said they were working evenings or weekends to address security issues – well ahead of the 27 percent in America and 23 percent in Europe – while 43 percent were worrying about potential email security issues outside of work hours and 23 percent said they had had to cancel personal plans to respond to attacks.

Despite the impact of these attacks, however, fully 70 percent of APAC respondents said they believe their organisation is more secure than it was 12 months ago – compared with 52 percent in the EMEA region and 64 percent in the Americas.

This, despite reports that 44 percent of incidents had costed the business up to $US100,000 ($A143,000) – and 23 percent had costed between $US100,000 and $US5 million ($A7.2m).

The findings highlight the ongoing problems posed by poor management of this most common conduit of security threats – and lend further weight to recent reports by Proofpoint, which evaluated the email threat landscape and found that the use of malicious URLs in emails had exploded 180 percent compared with the same period a year ago.

That firm’s Q1 2019 Threat Report found that 61 percent of malicious email payloads seen during the quarter were driven by the authors of the Emotet botnet, and 21 percent were banking Trojans.

Ransomware was “virtually absent” during the quarter, Proofpoint reported, but targeted businesses experienced an average of 47 email fraud attacks during the quarter and malicious URLs outnumbered malicious attachments by a ratio of around five to one.

Despite high volumes and immediate threats, however, many companies admitted that they were still struggling to remediate those threats: 35 percent of the respondents to the Barracuda report said their remediation capabilities were “acceptable”, meaning they catch many email attacks but miss many others.

Automated incident response was critical in reducing response times – 55 percent said it takes over an hour to investigate and remediate an email attack, leaving a large window to be compromised – and would, the analysis recommended, “cut through complexity, accelerate time-to-detection and free up stretched and stressed security staff.”

“Improved phishing awareness, using real-life simulation tools, is essential to ensure that every end user is a strong first line of defence against cyberattacks.”

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies