Getty Images

Email Critical Enterprise Risk, as Impersonation Attacks Increase

Mimecast’s latest State of Email Security report shows a rapid increase in phishing, ransomware, and impersonation attacks, with a need for organizations to bolster cyber resilience programs.

More than half of global IT decision makers have seen a drastic increase in the number of phishing, ransomware, and impersonation attacks, as email continues to be a critical security risk to the enterprise, according to the latest State of Email Security report from Mimecast.

Notably, in just the first 100 days of 2020, impersonation fraud attempts increased by nearly one-third, which researchers believe is tied to hackers targeting the spike in remote workers amid the COVID-19 crisis.

Mimecast surveyed 1,026 global IT leaders from across all sectors between February and March 2020. The data is coupled with data gathered from screening 1 billion daily emails. According to researchers, email remains the most popular attack vector among hackers.

The findings mirror an earlier healthcare-specific report from Corvus that found phishing is one of two key attack vectors leveraged by hackers, alongside open ports. Mobile phishing has also increased during the first half of 2020 throughout the crisis, according to Lookout.

Sixty percent of respondents saw an increase in email impersonation fraud attacks, including business email compromise attacks, in the last year, while phishing attacks increased for about 58 percent of respondents.

About 72 percent of those leaders said phishing levels increased or remained the same, compared to 69 percent from the previous year, which researchers said is likely due to phishing potentially becoming more difficult to stop or prevent due to more advanced tactics like spear-phishing.”

Another 60 percent of respondents said their organization faced an attack that spread from one infected user to other employees.

In total, 51 percent of IT leaders have experienced a ransomware attack in the last year, with 31 percent facing data loss as a direct loss of not employing cyber resilience planning. Organizations hit by ransomware experience three days of downtime, on average.

Further, 82 percent of organizations faced downtime from a cyberattack in the last year, with 85 percent of IT leaders saying they believe the volume of web or email spoofing will remain flat or increase in the next year.

Another 49 percent anticipate an increase in email or web spoofing and brand exploitation in the next 12 months, which researchers said is a rising concern. And 84 percent of respondents said they’re concerned about an email domain, web domain, brand exploitation, or site spoofing attack.

Notably, just one in five organizations (21 percent) provide employees with monthly security training. And another 55 percent fail to provide their employees with any frequent email security training.

Mimecast stressed that “without frequent training to enhance ‘the human firewall,’ organizations are exposing themselves to even greater risk. Research from JAMA supports those claims, as researchers found phishing education and training can drastically reduce the risk to healthcare organizations.

“After years of frightening narratives and countless examples, the data points to a broad understanding of the potential risk for email-borne attacks: In other words, sophisticated attacks that arrive inside your environment via the email perimeter," Mimecast researchers explained.

“In today’s climate, CISOs need to balance economic results against risk,” Malcolm Harkins, Chief Security and Trust Officer of Cymatic, said in a statement. “We need greater accountability from CISOs and vendors, and the C-suite needs to be more involved in cybersecurity investment.”

Indeed, Mimecast found most organizations have a long way to go when it comes to cyber resilience strategies. While 77 percent of respondents said their organization either has or is currently rolling out a cyber resilience strategy, 60 percent believe they’ll face an email-borne attack in the next year.

The lack of those cyber resilience programs will likely cause data loss or a decrease in employee productivity, according to 31 percent of respondents. Another 29 said a lack of those plans will spur business downtime.

Fortunately, the healthcare sector actually receive above-average marks for its dedication to network security, with 71 percent of respondents leverage strong implementations of internal email protection and 63 percent employing user awareness training.

Another 73 percent of respondents also utilize web security tools. The numbers are notable, as a 2019 report from Mimecast found the healthcare sector’s email security defenses were lagging behind other industries.

“We’re seeing the same threats that organizations have faced for years playing out with tactics matched to world events to evade detection,” said Joshua Douglas, vice president of threat intelligence for Mimecast. “The increases in remote working due to the global pandemic have only amplified the risks businesses face from these threats, making the need for effective cyber resilience essential.”

“It’s likely that cyber resilience strategies are lacking key elements, or don’t have any at all, depending on the organization’s maturity in cybersecurity,” he added. “Organizations must apply a layered approach to email security, one that consists of attack prevention, security awareness training, roaming web security tied to email efficacy, brand exploitation protection, threat remediation and business continuity.”

Next Steps

Dig Deeper on Cybersecurity strategies