The State of Email Security 2021
Are You Prepared for Today & Tomorrow's Challenges?
A RISING TIDE OF RISK CALLS FOR NEW PROTECTION
A tumultuous year in cybersecurity presented companies and IT professionals with a seemingly never-ending flood of challenges in 2020, especially when it came to email security.
Record-high increases in all forms of cybercrime, including a precipitate increase in phishing threats spawned by the global pandemic, left businesses scrambling and cybercriminals rolling in cash as they scored victories through ransomware, business email compromise, credential theft and other expensive, damaging disasters.
As we move through the fallout of 2020’s cybercrime explosion, it’s clear that protecting a business from cybercrime starts with protecting a business from phishing. By crunching the numbers, reviewing trends and listening to expert recommendations, businesses can confidently make decisions about adding technologies like automation and AI to their email security toolset to ensure that they’re maximizing protection and minimizing risk as they build their cyber resilience for a safe 2021.
WHAT ARE SOME COMMON OPTIONS FOR EMAIL SECURITY?
SECURE EMAIL GATEWAY (SEG)
A Secure Email Gateway (SEG) monitors incoming and outgoing messages and compares them to a pre-selected list of threats. This software can be complex to install, require specialized training to maintain and usually requires human input to learn new threat data. Messages can be delayed or lost as they are compared to a threat or safe sender list that requires constant updating. Popular SEG providers include ProofPoint, MimeCast and Barracuda.
Built in or add-on email security features in Microsoft 365, Google Workspace or other business application suites. This typically includes spam filters, routine antivirus and antimalware scans and limited reporting and configuration capabilities. Typically, these tools require outside threat intelligence from system updates or reports to learn about new threats. Incoming messages are compared with a list of safe or dangerous senders and legitimate messages can easily be misjudged as spam.
AI-powered automated security gathers its own threat intelligence to constantly refine protection against new threats while learning a company’s communication patterns. AI adjudicates the content of messages instead of relying on safe sender lists. Automated security requires little technical know-how to run. AI also warns employees to potential danger and self-manages threat data providing accurate anti-phishing defense without fuss, delays or frequent human intervention.
EPIC CYBERCRIME AND PHISHING GROWTH SURGED THROUGH RECORDS (AND BUSINESSES)
Email security became more critical than ever in 2020 due to a confluence of world events. Cybercriminals leveraged pandemic stress and the inexperience of a world full of anxious remote workers to drive phishing-related cybercrime to new heights.
- Phishing threats rose more than 600% in 2020.
- COVID-19 is the most “phished” topic in history.
- Of all data breaches, 90% started with a phishing email.
- Spear-phishing was the culprit in 91% of successful data breaches.
- Of all enterprise network intrusions, 95% were also the result of spear-phishing.
- One out of every 99 messages a business receives contains a phishing attack.
- An astonishing $2.1 billion in actual losses was spawned from business email compromise attacks against O365 and G Suite users.
- Cloud-based attacks ballooned with a 32% increase from the previous year.
- Credential phishing, already the most common kind of spear-phishing, rose by 14%.
- There was a 16% growth in malware file attachments detected and blocked in 2020.
- Phishing threats sent via spam skyrocketed by 41%.
- Phishing that targeted webmail and Software-as-a-Service (SaaS) was king, comprising 31.4% of all attacks.
- An estimated 6 billion fake emails were sent to businesses daily.
KEY AREAS OF FOCUS FOR PHISHING-RELATED CYBERCRIME
As cybercrime continues to evolve, the impact that the 2020 phishing boom has had on the 2021 threat landscape has become clear. Cybercriminals are refining their efforts to maximize on opportunities for profit in these categories.
Business Email Compromise (BEC)
Flexible and devastating, this type of attack rose 14% in 2020, with a whopping 65% of organizations facing a BEC threat. A flood of information about businesses gleaned in data breaches reached the dark web last year, fueling future attacks. Profit will also keep driving this category forward in 2022 – bad actors enjoyed payouts in 2020 that were 30% larger than the previous year.
Cybercriminals took advantage of the fact that so many companies increased their volume of email sent to launch audacious brand impersonation schemes. That subtype of spear-phishing saw explosive growth – up by 81% over the prior year – and 43% of those messages imitated Microsoft. As email volumes remain high, this style of attack shows no signs of slowing down.
Cybercriminals leveraged the fact that 55% of remote workers rely on email as their primary form of communication to unleash a flood of phishing that was far too successful. More than 40% of remote workers made email-handling errors that caused cybersecurity incidents, with 47% of those workers blaming their failure to spot phishing attempts on distraction. As organizations continue operating remotely or adopt a hybrid model for their workforce, this trend is set to continue in 2021.
CONSEQUENTIAL SECURITY GAPS LEAVE WIDE OPENINGS FOR ATTACKERS
Human error was responsible for 95% of data breaches in 2020. Beyond stress and distraction, a rapidly shifting phishing landscape means that risk often outpaces training; 97% of employees in many industries are unable to recognize a sophisticated phishing email. A steady expected increase in email volume will make this problem more acute as time goes on. In 2020, 306.4 billion emails were sent and received each day and that figure is expected to increase to over 376.4 billion daily messages by 2025.
A shocking 98% of cyberattacks in 2020 used social engineering. Isolated, stressed and anxious employees interacting with more email with less IT support opened unexpected doors to a data breach. On 2020’s list of the most opened phishing emails, the top scams included bogus social media requests, false system messages and fake internal corporate email. This category will continue to grow as cybercriminals refine their phishing techniques to bypass traditional email security through content.
IT TEAM OVERLOAD
The IT skills gap has grown significantly more acute with 72% of executives saying that they couldn’t find the personnel they needed last year, leaving 82% of security teams chronically understaffed. Money and expertise are in short supply at most organizations. Only 45% of organizations reported having enough budget available and only 39% of companies feel they have adequate IT expertise to handle increased ticket volumes. This opens the door for cybersecurity disasters as stress and inefficiency leads to problems that may not be addressed until it’s too late.
DO AREAS OF VULNERABILITY IN LEADING EMAIL SOLUTIONS LEAVE BUSINESSES UNPROTECTED?
Most email programs come with an array of security tools baked in. However, they’re not always reliable. The security features in leading email programs have trouble handling the pace of today’s phishing threats, especially when faced with zero-day attacks and rapidly escalating danger.
IS YOUR EMAIL SECURITY SMART ENOUGH TO KEEP YOU SAFE?
The volume and complexity of today’s email-based cybercrime threats require choosing smart security. Solutions that rely on occasional system updates or manual input from IT staffers to obtain threat intelligence may not be able to keep up with the pace of danger, which can prove to be a big liability when every second counts.
- A phishing URL has a lifespan of about 24 hours.
- Of all undetected phishing attacks, 90% are discovered in an environment that uses a Secure Email Gateway (SEG).
- Only 17% of email solutions and SEGs were able to detect previously unknown malware.
- Of all standard security tools, 34% could spot unknown credential phishing links.
- Of all phishing sites linked in suspicious messages in 2020, 80% used SSL to bypass threat lists.
In an analysis of unexpected messages that were handled by conventional email security last year, researchers found that:
- Only 20% were correctly marked as phishing.
- Only 49% were correctly marked as spam.
- Only 5% were whitelisted by admin configurations.
- Only 25% were marked clean in error and successfully reached their targets.
In an organization with 1 – 250 employees, one in 323 emails will be malicious.
In an organization of 1,001 – 1,500 employees, one in 823 emails will be malicious.
ARE YOU READY FOR TOMORROW’S THREATS?
In a rapidly shifting threat landscape, businesses need to be ready for anything. Maintaining a strong defense against cybercrime includes staying one step ahead of cyberattack trends. These three threats with dangerous growth potential should be on every IT security team’s radar in 2021.
Angler Phishing (Social Media Phishing)
This is not a new concept but a few fresh twists are bringing it back into the spotlight. A steady increase in regular social media use for business led to a surge in phishing – 43% of the most opened phishing messages last year purported to be LinkedIn requests or communications, followed closely by Twitter. As more companies communicate with their customers digitally through messaging and social media, new opportunities have opened up for hybrid angler phishing/BEC scams as well – 55% of those attacks targeted customers of financial institutions.
Double Extortion Ransomware
A stunning one in four attacks that IBM Security X-Force Incident Response remediated in 2020 were caused by ransomware. Double extortion ransomware is a rising problem as cybercriminals double down on their attacks to double their profits by requiring their victims to pay twice – once for the usual decryption code and then a separate fee to not have the encrypted data copied by the cybercriminal gang. Practitioners of this tactic were responsible for more than 50% of all ransomware attacks in 2020.
Brand Impersonation and Deepfakes
Brand credibility is a popular asset for cybercriminals to leverage as they roll out audacious phishing scams. Experts estimate that out of every 25 branded emails, at least one is a phishing attempt. The lion’s share of scams impersonate Microsoft (43%), followed by Amazon (38%). Deepfakes are an emerging threat as bad actors use clever editing and graphic design to make falsified videos and ads for brands to entice users to fake websites and steal credentials – 74% of IT leaders think deepfakes are a threat to their organization’s security.
Malicious Insider Threats
In a challenging economy, everyone is looking for ways to make more money, including cybercriminals and potential cybercriminals. People-based cyberattacks, like employees leaking data maliciously, are up 61%. In 2020, 30% of all data breaches were caused by internal actors, including 4% that involved physical actions by malicious employees like stealing sensitive data on a flash drive. European businesses have a higher chance of experiencing espionage than U.S. businesses, clocking in at 14% and 10% respectively. Malicious insider incidents are expected to climb 10% or more in 2021.
INVEST IN A SAFER FUTURE BY CHOOSING INNOVATIVE EMAIL SECURITY TODAY
IT investment in cybersecurity is evolving to shift from damage absorption defenses to agile cyber resilience. One of the biggest areas of change has been in the adoption of automation and AI technology as innovations in those fields have put smart solutions within reach for every business.
Here’s why leading organizations are investing in AI and automation:
- Automation tools can save up to 50% of recovery costs in the event of a cybersecurity incident.
- Security automation can save more than 80% of the cost of manual security.
- Automated email security catches 40% more phishing threats than traditional security.
- AI and security automation-enabled organizations respond to breaches nearly 30% faster than companies without security automation.
- Among the leading organizations, 80% use security automation.
- More than 90% of business leaders say that automation is a must-have to manage large alert volumes with small IT teams.
- AI security tools, like automated email security, are employed by 41% of companies.
- Experts agree that security automation is the number one way to reduce a company’s attack surface.
- Among the leading cyber-resilient organizations, 84% spend more than 20% of their IT budget on tools that facilitate the use of artificial intelligence, machine learning or robotic process automation.
- Companies investing in automation have a four-fold advantage in stopping a targeted cyberattack.
WHAT ARE INDUSTRY LEADERS SAYING ABOUT PHISHING ATTACKS AND DEFENSE STRATEGIES?
Experts agree that email-based cybercrime is the top threat to organizations worldwide. When considering how to reduce a company’s attack surface against phishing attacks, it pays to learn from their experience.
- The UK National Cybersecurity Defence Center suggests that organizations should encourage their users’ willingness to report (phishing) and reassure them that it is OK to ask for further support when something looks suspicious. This message needs buy-in across all departments including HR, support and senior management.
- Microsoft states “Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.”
- The U.S. Department of Justice recommends automatically scanning all incoming email messages to winnow out phishing threats.
- IBM notes in their Cyber Resilient Organization Report 2020 that 63% of surveyed organizations considered AI and automation tools as essentials for cyber resilience and 60% cited them as an important tool for building a strong security posture.
- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) urges organizations to “deploy an email solution that screens based on headers and malicious content (e.g., malicious macros, infected attachments, etc.).”
WHAT TO LOOK FOR IN AN EMAIL SECURITY SOLUTION
Complexity and jargon can bog down your search for the right email security solution for your business. These assessment questions can help you determine if you’re making a smart choice to protect your data and your profits from phishing-related cybercrime.your prospective solution:
- Always evolving to keep abreast of more sophisticated threats?
- Fast with no send and receive delays?
- Fully managed with seamless implementation?
- Highly scalable and customizable?
- Able to provide Microsoft Outlook and Gmail users with resilient protection?
- Using automation to quarantine threats and streamline reporting to reduce IT team overload?
- Equipped with AI that learns on its own instead of relying on periodic threat intelligence updates?
- Easy to deploy, run and maintain?
- Accurate, including spotting Zero Day threats and avoiding false positives?
TAKE THE NEXT STEP TO PROTECT YOUR ORGANIZATION FROM ALL TYPES OF EMAIL THREATS
Meet Graphus - simple, powerful, automated protection from phishing attacks. Improve your cyber resilience and bolster your defense against today’s biggest threats with a smart, AI-driven guardian powered by patented algorithms that use more than 50 points of comparison to adjudicate incoming messages. Graphus never stops learning, growing and evolving with your business, providing you optimal protection every day.Put three strong shields between your business and phishing:
- TrustGraph® automatically detects and quarantines malicious emails that might break through an organization’s native email security or existing SEG, eliminating the possibility of an end user interacting with harmful messages.
- EmployeeShield® alerts recipients of a potentially suspicious message to danger they may not notice by placing an interactive warning banner at the top that allows users to quarantine or mark the message as safe with a single click.
- Phish911™ empowers employees to proactively quarantine and simultaneously report suspicious and unwanted emails for IT to investigate, reducing your exposure to potential disaster.
The choice is clear: smart, automated email security is the right move for businesses in 2021 and beyond. Let us help you give your business the big benefits of automated security at an affordable price without sacrificing functionality or innovation when you choose Graphus.Schedule a Demo
See Graphus in Action
- https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Counter-Phishing_Recommendations_for_ Federal_Agencies.pdf