- Email security risks remain high with 94% of organizations experiencing incidents in the past 12 months.
- 96% of organizations that experienced phishing attacks were negatively impacted, up from 86% last year.
- Most cybersecurity leaders are stressed about email security, and 61% are kept awake at night by the use of AI in phishing.
- Alarmingly, data loss and exfiltration incidents were experienced by 91% of respondents.
January 16, 2023 – London, UK – Leading cybersecurity company Egress today releases its second Email Security Risk Report. The report lays bare the attitudes and approaches to email security, the evolution of risks, and the impact of incidents. In the 2024 Email Security Risk Report, alongside expert commentary, a comparison of 2023’s results offers insight into how 500 Cybersecurity leaders view the threat landscape, including how they remain vulnerable to both inbound phishing attacks and outbound data loss and exfiltration, and how they continue to question the effectiveness of traditional approaches to email security.
The report contains new data on phishing attacks, data loss prevention, and concerns about technical defenses’ ability to detect and prevent advanced threats within Microsoft 365 environments.
Jack Chapman, VP of Threat Intelligence at Egress, comments:
“The 2024 Email Security Risk Report is an essential read for all cybersecurity professionals and ultimately a tool to help teams assess their inbound and outbound defenses.
“What has been staggering is the emergence of trends alongside the 2023 edition of the Email Security Risk Report; for example, 94% of respondents fell victim to phishing attacks, up 2% from the previous year. Organizations continue to face vulnerabilities when it comes to advanced phishing attacks, human error, and data exfiltration, and analyzing emerging trends will be key to bolstering defenses.
“The report also highlights how Cybersecurity leaders know that they’re vulnerable when it comes to phishing attacks. 58% of organizations have experienced account takeover incidents in the last 12 months, and 79% of these started with a phishing email that harvested an employee’s credentials, so it’s no wonder that phishing attacks and compromised accounts are causing concern for our Cybersecurity leaders.
“The use of AI by cybercriminals is also at the front of our leaders’ minds, and rightly so. While it’s currently impossible to actually prove chatbots are being used to create phishing attacks, cybercriminals generally take every advantage they can get. Organizations can’t afford to be left behind but must ensure their defenses keep pace with cybercriminals’ methodology and the resulting attacks.
“The stats in this latest report are truly staggering; 94% of companies have experienced security incidents in the last 12 months, and 95% of cybersecurity leaders are stressed about email security. Organizations urgently need to adapt their approach, or risk finding themselves in the same position next year.”
Email Security Risk Remains High
The Egress Email Security Risk Report 2024 has revealed that 94% of respondents fell victim to phishing attacks, up 2% from the previous year. Inbound email incidents primarily took the form of malicious URLs, attacks sent from a compromised account, and malware or ransomware attachments.
Looking towards outbound email incidents, 91% of organizations experienced data loss and exfiltration due to reckless behavior to ‘get the job done’, human error or malicious exfiltration amongst other contributing factors.
- 94% of organizations were victims of phishing attacks
- 96% of organizations were negatively impacted by phishing attacks
- 94% of organizations were negatively impacted by outbound email security incidents
- 79% of organizations were victims of account takeover attacks which started with a phishing email
- 61% of cybersecurity leaders say the use of chatbots in phishing keeps them awake at night
Employees face the consequences for email security incidents
The impact of an email security incident can be severe for employees and their organizations. 96% of surveyed organizations experienced negative impacts from phishing attacks, which is a jump of 10% versus last year’s report (when the number sat at 86%). Findings from the Email Security Risk Report show that leaders are taking a tough stance with employees caught by phishing attacks with negative outcomes for the people involved happening in 74% of companies. In particular, the report revealed the way organizations responded, with:
- 51% of employees caught in phishing attacks disciplined
- 39% of employees caught in phishing attacks fired
- 27% of employees caught in phishing attacks voluntarily leaving their roles
Looking at outbound threats, a similar picture is seen with 94% of the surveyed organizations reported being adversely affected, which is an increase of 8% from last year’s report. In outbound email incidents, 67% of people were disciplined, let go, or chose to leave the organization. Employees being disciplined was the most common outcome, seen in 51% of organizations.
It is evident from the report’s data that email security incidents continue to have far-reaching impacts for organizations, with financial loss from customer churn and reputational damage topping the organizational costs in both inbound and outbound incidents. Organizations should provide the right technology to their teams to detect advanced threats and SAT programs that genuinely increases their understanding of real threats going forwards.
AI is a growing concern for cyber risk
AI continues to be one of the industry's biggest talking points, and our Cybersecurity leaders are savvy to the effect new tools, large language models, and generative AI could have on phishing attacks. 63% are being kept awake at night by deepfakes, and 61% by AI chatbots being utilized to create efficient phishing campaigns. This trend is expected to continue into 2024 and beyond, with organizations being encouraged to continuously review their defences.
Through stolen Microsoft credentials threat actors can gain access to the kingdom
Microsoft credentials are synonymous with being ‘the keys to the kingdom’, giving cybercriminals the power to move laterally across systems and networks to exfiltrate data and access email accounts to target customers and suppliers with further attacks.
Findings from the report show that account takeover attacks (ATOs) are a significant concern for Cybersecurity leaders as 58% of organizations experienced account takeover incidents. Of these:
- 79% began with a phishing email harvesting an employee's credentials
- 83% saw multi-factor authentication bypassed before proceeding with the account takeover
Additionally, over half (51%) of organizations fell victim to phishing attacks sent from compromised accounts within their supply chain in the last 12 months. Utilizing a trusted domain helps enable attacks to get through traditional perimeter defenses and people are less suspicious of emails sent from addresses they recognize. Cybersecurity leaders are well-aware of their vulnerability, with supply chain compromise and ATO their top sources of stress.
Cybersecurity leaders question the value of their SEGs
Many of the email security features Microsoft 365 offers overlap with the functionality available in SEGs, leaving organization to question their tech stack. Of those who use a SEG, 91% expressed frustration with it, and 87% are considering replacing their SEG or have already done so. As organizations adopt native controls in favor of SEGs, they are still left vulnerable to the advanced phishing attacks that can bypass signature-based and reputation-based detection, as well as employees’ behaviors that lead to outbound incidents, such as human error.
Combining Microsoft's controls and integrated cloud email security (ICES) solutions covers the full spectrum of inbound and outbound email security incidents, so it's little surprise that a large portion of organizations are weighing up their options.
Training is considered a checkbox requirement
According to the findings from the report, email security risks remain a top concern for organizations with 94% having experienced security incidents over the past year. Despite this, according to the majority of respondents, training is provided only to meet compliance requirements with 88% acknowledging that they are doing SAT for compliance purposes.
If training is engaging, in bite-size modules and relevant to the employee’s tasks, it should be an enriching activity with real-time teachable moments throughout their workday, but Cybersecurity leaders are currently worried that employees skip through training as quickly as possible and that they find training annoying.
With this in mind, it is no wonder that 91% of Cybersecurity leaders have doubts about the effectiveness of traditional training, and making the training tailored to teams or individuals isn’t being offered commonly:
- Only 19% of organizations deliver SAT that reflects on the department or team that employees work in
- Just 9% of organizations tailor training to the individual employee.
The ramifications of this are significant for both employees and their organizations as quality learning can turn a company’s biggest risk into one of their strongest defences – their people.