With the ubiquity of remote work and sprawl of internet-connected devices today, email has cemented its place as the true system of record for enterprises. Unfortunately, email is also the most common attack vector for cybercriminals, with over 96% of all security attacks beginning with an email. As organizations move their email services to the cloud with speed and certainty, securing this vital form of communication is in an interesting state of flux today.
Armorblox commissioned the Enterprise Security Group (ESG) to conduct research into email security in an attempt to capture the data behind the ever-changing face of this market. ESG surveyed 403 IT and security professionals responsible for evaluating, purchasing, and managing email security solutions. The report provided deep insights into the importance of email security, the move to cloud-delivered email, and the rise of socially engineered email attacks.
Email - A Top Five Cyber Threat Vector
When asked to assess the importance of cyber threat vectors, more than two-thirds of respondents (69%) named email security as one of the top five cybersecurity priorities for their organization. This may come as a surprise, given the relatively mature nature of email security controls such as Secure Email Gateways (SEG). But the continued and elevated importance of email security comes down to one inescapable fact: organizations are still getting attacked over email.
Around 68% of respondents faced persistent email attacks over the past 12 months, with 48% reporting attacks on at least a monthly basis. Email is such a popular vector for security attacks because it can be a vehicle for simple, mass-produced phishing attempts as well as for laser-targeted, socially engineered compromise. Email attacks are also the most likely to rely on human action (or misaction), resulting in the widest possible threat surface for cybercriminals.
All Roads Lead To The Cloud
One of the clearest email trends over the past few years has been the relentless move towards cloud-delivered email. Close to 90% of surveyed respondents reported using cloud-delivered email, with 73% identifying cloud as their primary platform. The caveat here is that 65% of respondents still used on-premises email in some limited capacity. Given this landscape, email security controls that work across hybrid environments will be best placed to provide effective and consistent protection against email attacks.
While this move towards cloud-delivered email has encouraged organizations to move away from Secure Email Gateways (SEGs), the flipside is that more than 53% of respondents found native email security capabilities to be insufficient. Among those organizations, only 23% chose to incorporate additional, third-party controls before migrating to cloud-delivered email. This highlights a clear and unmet need for third-party email security controls that complement the native capabilities of cloud email providers.
Not Just Phishing Anymore
While mass phishing emails still exist, cybercriminals have started moving towards socially engineered email attacks that get past traditional defenses by targeting the human layer of enterprises. These attacks - called Business Email Compromise (BEC) - have led to $26 billion in financial loss over the past three years according to the FBI. And they’re reaching inboxes right now.
Nearly 60% of surveyed organizations experienced at least one BEC attack within the last 12 months. Email account compromise (or account takeover) ranked as the most commonly cited attack methodology, where attackers take control of a legitimate email account and weaponize it to launch further compromise attempts down the line. Executive impersonation (27%), vendor email fraud (23%), and wire fraud (20%) were other commonly cited attack methods.
The Age Of Transformation
The email security market is going through a sea change in terms of attack types, methods of deployment, and so much more. Hearteningly, organizations are aware of this change and ready to embrace it. Nearly 57% of respondents believe that email security is going through a significant transformation.
Many organizations are also willing to align their budgets with their beliefs. More than 64% of respondents plan to increase their spending on email security controls in the next 12 months compared with last year’s investments.
Given both the need and a willingness to invest, here’s some guidance for organizations looking to increase their spending in email security:
1. Broaden detection techniques
It’s tempting to go with tried and tested email security models, but there’s a risk of double-spending on capabilities by following this route. Organizations should complement the native features of their cloud email providers with third-party controls that take a different approach to email security. This approach could be related to detection techniques, attack coverage, or method of deployment.
2. Invest for the future
Mass-phishing attacks and known malware can be very dangerous, but the email security market has arguably overemphasized protecting against these attacks at the cost of leaving other entry vectors unguarded. Organizations should look for email security vendors that take a unique approach to stopping ‘needle in the haystack’ attacks such as business email compromise, account takeovers, payroll fraud, and vendor email fraud. These are the email attacks of today and tomorrow, and organizations need to safeguard themselves accordingly.
3. Embrace API-first deployment
As organizations move their email to the cloud, it’s advisable to look for API-first deployment models rather than traversing down the well-trodden path of SMTP-based gateways. An API-based email security solution will sit on top of (rather than in front of) native email security controls, providing additional detection capabilities that address attacks only once they get past native defenses.
4. Guard against alert fatigue
Adding more layers of email security should not result in an increased volume of low-fidelity alerts for already overworked security teams. Email security controls that increase the relevance and reduce the volume of alerts that security teams need to review should be preferred.
While investing in third-party email security, organizations should be rigorous in their evaluation and look for detection techniques that complement the security they already have. With so many vendors in the market, organizations should be careful not to double-spend on capabilities and reduce the efficiency of their budget outlay.