• United States



C-suite is a weak link when it comes to email-based attacks

Jul 25, 20183 mins

Phishing and impersonation attacks are up, and the C-suite is the weak link in email-borne attacks.

The word eMail spelled out with computer keys
Credit: Thinkstock

Organizations can’t get around using email, and 90 percent of organizations have seen phishing attacks rise or stay the same over the last year. While humans have long proven to be the weakest link in an organization’s security chain, C-suite and C-level executives are some of the least cyber-aware individuals in an organization.

Close to 40 percent of respondents said their organization’s CEO was the “weak link” in their cybersecurity operations, according to the State of Email Security 2018 report (pdf); it’s based on a survey by Mimecast Limited and Vanson Bourne of 800 IT decision makers. Nearly 40 percent of those IT decision makers reported that their CEO “undervalues the role of email security.”

Of those surveyed, 31 percent said C-level employees were likely to accidentally send sensitive data to the wrong person, compared to 22 percent of general employees. Further, 20 percent claimed that a member of the C-suite sent sensitive data in response to a phishing attack, and 49 percent claimed their management and finance teams aren’t knowledgeable enough to identify and stop an impersonation attack.

Fifty percent of respondents said the volume of phishing attacks went up over the last year, while 40 percent saw a rise in the volume of impersonation attacks.

Impersonation attacks increase

Regarding impersonation attacks over the last year, 40 percent of organizations saw an increase in the volume of impersonation fraud requesting a wire transaction. Another 40 percent claimed to have seen impersonations of finance/accounts, 28 percent said the C-suite is a common impersonation target, and 25 percent saw impersonation of HR staff member. In addition, 39 percent said the volume of requests for confidential data increased.

The survey also found that 59 percent of organizations will reportedly suffer a negative business impact from email-borne attacks this year, but only 11 percent of organizations continuously train employees to spot cybe rattacks. The report said email was the number-one vector used to initiate attacks such as malware delivery, impersonations, and credential-stealing attacks.

The report also says 92 percent reported having seen ransomware delivered via email attachment that resulted in an average downtime of three days or longer.

And 61 percent of organizations hit by an attack saw malicious activity spread from one infected user to other employees via email. Nearly 50% saw malicious activity spread via infected email attachments; malicious URLs via internal email accounted for over a quarter of those attacks.

Internal threats increase

Internal threats are also on the rise, according to the report. Eighty-eight percent of organizations encountered internal threats driven by careless employees, 80 percent had to deal with compromised accounts, and 70 percent encountered malicious insiders.

Many organizations think that constantly evolving email-based attacks fall under the domain of being an IT problem. But Mimecast CEO Peter Bauer said, “It requires an organization-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defense.”

The report concluded:

“It’s clear that you’re up against an array of nasty email-based attacks – originating both externally and internally – and the climate is only getting worse. Email is at the intersection of a massive amount of risk. If addressing exposure doesn’t become a priority, cyberattacks will continue – and data protection and personal privacy will all but crumble.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.