Email Security Breaches Rampant Among Critical Infrastructure Organizations
A full 80% of organizations within the critical infrastructure vertical experienced email-related security breaches in the past year, according to an OPSWAT survey.
Despite the advancements in cybersecurity, nearly two-thirds (63%) of IT and security leaders admitted that their email security strategies require significant improvement.
The report found that while email remains a vital tool for communication and productivity, it also continues to be the primary vector for cyberattacks.
Threat actors exploit vulnerabilities through phishing attempts, malicious links and harmful attachments, leading to breaches that can compromise both IT and operational technology (OT) environments.
More than half of respondents in the survey mistakenly believe that email messages and attachments are benign by default, overlooking the inherent risks these channels present.
The study highlighted several key issues, including that critical infrastructure entities are prime targets for cyber actors.
Despite the frequency of attacks, 48% of organizations lack confidence in their current email defenses, leaving them vulnerable to increasingly sophisticated attacks.
In addition, nearly two-thirds (65%) of organizations said they are not meeting regulatory compliance standards, exposing themselves to significant operational and business risks.
The research also points to a gap in advanced email security capabilities, with many organizations missing essential measures, such as content disarm and reconstruction (CDR), URL scanning for malicious links, and anomaly detection within email messages.
Itay Glick, vice president of products at OPSWAT, said organizations must shift away from assuming emails are safe and instead treat every message and attachment as potentially malicious.
He also recommended advanced phishing protection including behavioral AI, URL scanning and time-of-click link analysis.
“This provides comprehensive protection against phishing and post-delivery weaponization, both of which are major threats highlighted in the report,” he said.
Jason Soroko, a senior fellow at Sectigo, said that given that email remains a primary attack vector, organizations should offer their workforce interactive training with real-world phishing simulations and case studies.
“Use microlearning and gamification to keep it engaging,” he said.
He also suggested encouraging a culture where employees report suspicious emails without fear.
“By keeping training periods frequent and short, a balance of both effectiveness and comprehensiveness can be achieved,” Soroko said.
Layering Tools in a Comprehensive Framework
Glick added that with phishing attempts, ensuring URL scanning and time-of-click link analysis can protect from malicious links that may appear harmless initially but become weaponized post-delivery.
In the current email security landscape, it is common to use multiple vendors to protect the email channel, and these advanced technologies can be easily integrated on top of existing solutions, for example, Microsoft 365’s native security features.
Glick said by layering these tools within a comprehensive security framework, organizations can strengthen defenses against both known and unknown threats, mitigating risks by removing potentially harmful elements before they reach users.
“Implementing a zero-trust approach to email security means treating every email and attachment as potentially malicious until proven safe,” he explained.
The report also revealed that while the threat landscape continues to grow more sophisticated, the adoption of advanced email security technologies remains alarmingly low.
DLP, Audits and Employee Education
Glick noted a layered approach includes implementing data security to protect the organization and data protection measures, such as data loss prevention (DLP), to prevent unauthorized data access or leakage and ensure encryption where required.
“DLP helps ensure that sensitive data stays within regulatory boundaries, mitigating the risk of accidental or malicious exfiltration via email,” he said.
Stephen Kowski, field CTO at SlashNext Email Security+, added regular security audits, coupled with clear communication of policies and consequences for non-compliance, are essential.
“Automated enforcement tools can help maintain consistency across teams and reduce human error,” he said.
He added companies should integrate security training with compliance requirements, creating a holistic approach that addresses both aspects simultaneously.
This can be achieved through role-based training programs that cover security best practices and relevant regulatory requirements.
“Continuous education is crucial, as threat actors constantly evolve their tactics,” Kowski said.