This year’s Email Security Risk Report touches on a range of topics from inbound email security and data loss prevention, including the fallout of successful phishing attacks, how Cybersecurity leaders feel about their secure email gateways (SEGs), and the limitations of traditional SAT programs.
The survey data used for this report was collected from 500 Cybersecurity leaders, including CISOs and CIOs, from companies in various industries including financial services, legal, government, and healthcare, located in the US, UK, and Australia.
Inbound threat statistics
94% of organizations fell victim to phishing attacks
Phishing emails are one of the most common security threats that businesses face. Of the 500 Cybersecurity leaders that we surveyed, 94% stated that the organizations they work for have fallen victim to phishing attacks in the last 12 months. In the 2023 edition of this report, that number was 92%, revealing that most organizations are as vulnerable to inbound attacks as they were a year ago.
79% of account takeover attacks started with a phishing email
Phishing is the most common tactic for credential harvesting and account takeover. These emails will often contain a link to a credential-harvesting site, like this Netflix impersonation campaign we highlighted last year.
Account takeover is understandably one of the top stressors for Cybersecurity leaders. Once threat actors have access to an employee’s account, they use it to move laterally, sell credentials to other cybercriminals, and send phishing emails that are difficult for traditional security to detect, as the threat is coming from a trusted domain.
95% of Cybersecurity leaders admit to feeling ‘stressed’ about email security
Phishing dominated the list of concerns of the surveyed Cybersecurity leaders. Of the biggest concerns from the Cybersecurity leaders, phishing dominated their list of worries. Attacks from compromised supply chain email accounts are the biggest concern for our Cybersecurity leaders (52%), with account takeover (ATO) attacks within their own company coming in second (47%).
61% of Cybersecurity leaders say the use AI in phishing campaigns keeps them awake at night
In 2023, it wasn’t possible to discuss phishing without also mentioning AI. Large language models (LLMs) and generative AI empower cybercriminals to create targeted phishing campaigns and even generate malware. 63% of Cybersecurity leaders are particularly concerned about the use of AI in the generation of deepfakes and a further 61% lose sleep over the use of AI chatbots in creating phishing campaigns.
Outbound threat statistics
91% of organizations experience outbound email security incidents caused by data loss and exfiltration and 94% were adversely affected by them
The negative effects of a data loss incident are varied. Businesses can suffer a loss of clients, reputation damage, litigation, and in more serious cases, have to cease operations altogether. In fact, according to our survey, 58% of organizations had to cease operations following breaches of internal information barriers by email. More organizations are being negatively impacted by security incidents caused by data loss and exfiltration this year than last year. 94% of the organizations surveyed reported being adversely affected, which is an increase of 8% from last year’s report.
90% of Cybersecurity leaders are concerned about the limitations of static email data loss prevention (DLP)
Static DLP has been the industry standard for a long time. Rule-based protection offered by systems like secure email gateways (SEGs) requires IT teams to set up and maintain manual rules to either block or allow emails based on set criteria. Of the security leaders we interviewed, 100% stated that they were frustrated with systems that rely solely on static DLP rules, citing high administrative burden and constant need for manual updates.
87% of Cybersecurity leaders say they are considering replacing their SEG or have already done so
As the email platform of choice for businesses globally, Microsoft 365 has added core functionality to replace existing SEG infrastructure, leading to many industry professionals reallocating their SEG budget to Microsoft’s security as there is significant overlap in the capability offered by integrated cloud email security (ICES) solutions like Egress.
91% of Cybersecurity leaders have doubts about the effectiveness of their traditional SAT programs
Most Cybersecurity leaders have reservations about traditional security awareness training. Some of the most common concerns included that employees were skipping through programs as quickly as possible and that they found them annoying. All the organizations we interviewed carry out SAT, with 88% of them citing compliance requirements as their primary motivation for conducting these programs.
Only 19% of organizations deliver department-based SAT
The level of risk varies from user to user and department to department. The majority of the Cybersecurity leaders we surveyed do not personalize their SAT programs to reflect the department or team that employees work in. The leaders that do account for just 19%, and only 9% personalize training based on the individual.
Personal information is often readily available online and cybercriminals will often do their research before they target a specific individual. Training users to detect these sorts of personal attacks is paramount to keeping your users and data secure.
A new age of cybersecurity
As the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, Egress Intelligent Email Security prevents advanced phishing threats, data loss, and data exfiltration; provides continuous education using real-time teachable moments; and continually assesses risk to dynamically adapt enforcement. As illustrated by the report, cybercriminals are designing more advanced attacks that are harder to detect than ever. Book a demo with our team of experts today.
To read the full report, download your copy here.