We’ve Been Using Email Since 1971—It’s Time We Make it Secure
An estimated 333 billion emails were sent and received daily worldwide in 2022. Email is one of the most important communication tools used today. It’s also a powerful, accessible, effective and low-cost tool for cybercriminals to use. As attacks continue to evolve, harnessing AI and advanced social engineering techniques for increasingly sophisticated, stealthy attacks, many organizations feel they are not secure enough to deal with these threats. As a result, many organizations are starting to invest more in email security—and it’s about time, since email has been around since the early 1970s.
Most Prevalent Types of Email Attacks
A full 75% of organizations worldwide fell victim to at least one successful email attack in the last year. While attacks vary greatly in complexity, volume and impact, there are a number of distinct categories of email threats:
● Spam: Unsolicited, bulk messages
● Malware: Software sent through email attachments or URLs with malicious content
● Data exfiltration: Data copied from a remote system without consent
● Phishing: Emails that attempt to trick an end user into believing the message is from a trusted person or organization to get them to take action
● Impersonation: A malicious actor pretends to be a person, organization or service
Email attacks impact businesses through monetary loss, sensitive, confidential or business-critical data, employee productivity and even cause damage to a brand’s reputation.
Email Phishing Attacks are Often Followed by Further Penetration
As phishing attacks increase in sophistication and the number of targets, we often see further penetration into victims’ environments because credential theft is the primary motive. With stolen credentials, the attacks have a broader attack surface, from network infrastructure to outward-facing web properties and third-party SaaS applications used by the victims. Therefore, further penetration into these environments likely goes undetected if detection and prevention capabilities are missing.
Security signals such as account takeover and business email compromise should be treated as early warnings. If adequate responses are taken, the impact of an attack can be materially reduced. For faster and more accurate responses, emphasize using an XDR tool with threat signal level integration with your email security tool.
Cyberattacks are Costly
Spam costs businesses about $20 billion per year in losses and can be used to distribute malware—such as ransomware—and large-scale phishing attacks. And 94% of malware is delivered via email. According to a recent report, the average cost of a ransomware attack in 2022 was $4.54 million.
The average cost of a data breach in the United States was $9.44 million; globally, data breaches cost organizations an average of $4.35 million. The average size of a data breach was almost 26,000 records. These breaches can not only lead to financial losses but also have long-lasting impacts on an organization’s brand and reputation.
Approximately 32% of breaches were phishing attacks; reported losses due to phishing reached $58 million. It’s estimated that 4% of recipients of a phishing attempt click on the malicious link, opening the door to bad threat actors.
Impersonation attacks via email (domain and brand) are on the rise as well—researchers saw a 400% increase in these attacks that attempt to hijack conversations.
These numbers reveal that hackers will stop at nothing to gain access to an organization’s data and sensitive information. And their vector of choice is often email.
Cyberattacks by Country
The U.S. continues to be one of the prime targets of email-based cybercrime, but they’re not alone. The United Kingdom, France, DACH (Germany, Austria and Switzerland), Benelux (Belgium, Netherlands and Luxembourg) and Nordics (Sweden, Norway, Denmark and Finland) regions, Australia and India were all victims of costly email security breaches in 2022. As a result, these countries also increased their email security spending considerably in the last year.
● United States
Successful email security breaches: 80%
Average most expensive attack: $922,292
Increased security spending: 38%
● United Kingdom
Successful email security breaches: 54%
Average most expensive attack: $645,946
Increased security spending: 24%
● France
Successful email security breaches: 71%
Average most expensive attack: $716,176
Increased security spending: 27%
● DACH
Successful email security breaches: 81%
Average most expensive attack: $979,752
Increased security spending: 22%
● Benelux
Successful email security breaches: 85%
Average most expensive attack: $1,223,228
Increased security spending: 14%
● Nordics
Successful email security breaches: 68%
Average most expensive attack: $1,268,137
Increased security spending: 19%
● Australia
Successful email security breaches: 74%
Average most expensive attack: $1,110,092
Increased security spending: 17%
● India
Successful email security breaches: 82%
Average most expensive attack: $1,337,805
Increased security spending: 32%
How to Protect Organizations Around the Globe
Globally, IT and security professionals need to stay on top of the latest cybersecurity threats. Here’s how organizations can minimize their risk and exposure to email-based cybersecurity threats:
● Deploy multilayered email security. As threats evolve, so should protection. It’s vital to have a solution in place that detects and protects against targeted phishing attacks.
● Protect users’ access. Using MFA provides an additional layer of security above and beyond username and password. Deploying zero-trust access technology alongside MFA will protect access and reduce exposure to lateral attacks.
● Automate incident response. An automated incident response solution will help clean up any threats found in users’ inboxes; this makes remediation more efficient going forward.
● Improve cybersecurity awareness. Train staff about email-based attacks by making them a part of security awareness training. It’s not only important that employees know what to look for, but they should also know how to report suspicious activity.
● Secure and back up all data. Data needs to be properly secured, isolated and backed up; it also needs to be able to be restored in a reasonable time frame.
Inbox defense protects organizations against sophisticated email-borne cyberattacks and prevents downtime, business disruption and loss of critical business data. Growing awareness and understanding of email risks and the need for robust protection are positive starting points for email security now and moving forward.
