Why do British companies face a greater risk of email breaches?

Mike Fleck at Cyren explains why email breaches are such a problem to UK businesses, and what can be done to protect them

 

British organisations are more likely to suffer a successful email attack than businesses in the US, a survey conducted by Osterman Research has revealed.

 

Cyren commissioned the 2022 Benchmarking Survey to understand the threat and raise awareness of the growing risk to businesses across the world.

 

The results demonstrate that the problem is getting worse, not better. They also highlight security leaders’ concerns about the ability of their organisation to cope with the problem.

 

To find out more, teiss spoke to Mike Fleck, Senior Director, Sales Engineering at Cyren.

 

What does your research show about the threat facing British businesses?

We surveyed 226 businesses that use Microsoft 365 for email and found that organisations in the UK are falling victim to email breaches at a higher rate than the US. British companies face an average of 22.7 breaches each year, compared to 20.6 in the US.

 

The data also shows a significant rise in the number of email breaches overall, with the rate of attacks on American organisations more than doubling since our previous survey in 2019, when respondents reported 10.2 incidents. In the UK, the acceleration has been slower, with breaches increasing from 13.7 in 2019.

 

Unfortunately, the rise in email breaches is not limited to the UK and US. The study also involved respondents from other countries, providing a snapshot of the worsening situation around the world. We found that 89 percent of organisations suffered one or more successful email breach types during the previous 12 months. Again, this is a higher proportion than the 2019 survey.

 

Is the problem getting worse?

Yes. Overall, the number of email breaches per year has doubled in the past three years. In 2022, almost every organisation has been hit. Nine out of ten organisations (89 percent) suffered one or more email-related breaches in the previous 12 months.

 

This is an increase from 78 percent of organisations in 2019. There was also a disparity between the UK and US, with 93 percent of British businesses reporting a breach compared to 86 percent.

 

The organisations that did not report an attack have not necessarily escaped; there is a chance they experienced great success and avoided breaches. However, it is also likely they have simply not yet identified a breach, which typically take up to 300 days to discover.

 

They may also follow a policy of non-disclosure whereby they don’t have to inform anyone (other than government regulators) about the incident.

 

The takeaway from our survey is clear. Malicious emails continue to evade detection and distracted users are increasingly falling victim despite near total adoption of security awareness training. This has resulted in organisations spending more time analysing suspicious email alerts and responding to breaches.

 

Security leaders need to improve the maturity of their email security to minimize the time it takes to detect an evasive threat and delete it before a distracted employee makes a terrible mistake.

 

What is the most common type of email threat?

Social engineering is still a major cause of breaches, with 69 percent of organisations reporting a phishing attack in the past 12 months, making it the top vector. In second place was Microsoft 365 credential compromise, with 60 percent of respondents reporting this type of breach in the past year, followed by malware (59 percent), spamming or email DoS (52 percent) and ransomware (51 percent).

 

Our study once again showed a difference between the UK and US, with British respondents suffering 19 successful Microsoft 365 credential compromises per year compared to 10 for organisations in the US - even though organisations in the UK have more IT staff members than their counterparts working across the Atlantic.

 

Are security leaders confident their organisation is prepared to tackle email threats?

Our survey showed that security leaders face a range of worries about resilience and preparedness, with the majority reporting that their organisation’s security solutions are not capable of dealing with a range of threats.

 

We found that 36 percent of security leaders were “concerned” or “very concerned” about the time it takes to address email threats that are not currently blocked by their security solutions. A further 32 percent expressed the same sentiment around their current solution’s ability to block ransomware and 31 percent worried about finding and retaining skilled cyber-security professionals.

 

We also found that the majority of leaders did not believe their security solutions were “effective" or “highly effective” at blocking impersonation attacks, credential compromise campaigns, account takeover and other attack vectors.

 

Currently deployed security products were deemed to be least effective at stopping cyber criminals from impersonating executives, with 64 percent of respondents warning that this type of attack may not be stopped by their organisation’s defences.

 

How much does it cost to address email threats?

To answer this question, we asked respondents how long it took to remediate successful attacks and then calculated the cost using the average salary and benefits for a cyber-security analyst, which is $121,774 in the US and or $65,552 (£49,661) in the UK.

 

On average, respondents reported that dealing with a compromise or breach took 175 hours. In the US, the time was 197 hours. In the UK, it was 148 hours.

 

Consider the US survey respondents claimed 20.6 breaches, this means that US organisations face a cost of $247,022 per year, or $82.53 per mailbox per year. In the UK, the cost was $104,441 (£83,419) per year, or $53.01 (£42.34) per employee per year.

 

Now consider the number of malicious emails that are detected before causing a breach and must be removed from all user mailboxes – what some would call, “left of boom.” To calculate the cost responding to these alerts we assumed that an email attack must be removed from 10 percent of mailboxes in a manual process that takes 15 minutes.

 

This approach allowed us to calculate that removing emails from inboxes costs $34,058 per year per 1,000 email users, or $34.06 per employee per year in the US. In the UK, the cost is $17,552 (£13,274) per year per 1,000 email users, or $17.52 (£13.27) per employee per year.

 

What can organisations do to improve resilience and tackle email threats?

Reduce the time it takes to detect threats that have been delivered to user mailboxes and automate the response to those threats so they can be quickly removed. Invest in a specialized and automated approaches to detecting and neutralising social engineering threats.

 

This is a key addition to the traditional secure email gateway or security capabilities found in Microsoft 365 Defender (formerly known as Advanced Threat Protection). Incident response processes should also be optimised to reduce the ongoing costs of investigating alerts and removing confirmed threats, and minimise the likelihood of a breach.

 

Training is also vital. Educating employees on email threats increases the number of messages they report as suspicious, with 84 percent of organisations reporting that training improved response to email threats. Just over a quarter (27 percent) of respondents said training enabled staff to report twice as many messages.

 

Take note, the increase in user-submitted alerts comes with a high false positive rate (41%) so user training needs to be supported by specialized detection and more mature incident response.

 

We found that regular training is more effective. Employees that are trained once or twice a year are most likely to report between one and a half to twice as many messages as suspicious (26 percent and 33 percent).

 

Organisations considering implementing training schemes are advised to begin as soon as possible. The share of reported messages that are malicious has risen from 53 percent a year ago to 50 percent now and is expected to grow further to 62 percent over the next 12 months (see previous note about false positives).

 

We urge organisations to move quickly and decisively. Our data shows that the threat posed by email attacks is serious, growing, and likely to get worse. Improving post-delivery detection and response and rolling out training must be a priority. Security leaders need to have more confidence in the tools which protect inboxes, so we advise them to choose wisely.

 

The solution they invest in should be capable of responding to threats ranging from spear phishing to business email compromise as well as offering the ability to continuously monitor emails and automatically deal with latent threats as they show their true nature.

 

Email inboxes are now the frontline of an organisation’s defence. They must be defended according to evolving best practices.

 

---

 

Mike Fleck is Senior Director, Sales Engineering at Cyren

 

Main image courtesy of iStockPhoto.com