Email Threats Increase; Most Vulnerable: Those With Financial Access
The payoff for scammers could be larger when executives fall for a social engineering attack.
Those are among the findings presented in a global research report about the current state of email security from Campbell Calif.-based Barracuda Networks, Inc., a provider of cloud-enabled security and data protection solutions. The survey included responses from 634 executives, individual contributors and team managers serving in IT-security roles in the Americas, EMEA and APAC in financial services, technology, education, healthcare, manufacturing, government, telecommunication, retail and other industries.
Overall, the study indicated that email threats continue to increase and the effects on staff and productivity is escalating. Ransomware is a concern, with more than a third having already experienced an attack.
“There’s no consensus about the type of employee most likely to fall for an attack,” the report confirmed. The report revealed criminals are potentially balancing their attacks and not necessarily targeting any type of employee. “Email attacks are a numbers game; the more attempts made, the more likely someone will fall for one – and there are a lot more individual contributors available to attack than executives.”
However, the payoff could be larger when executives fall for a social-engineering attack, due to the availability and quantity of sensitive information they have access to, which explains the increasing popularity of spear phishing and whaling.
The report claimed, “While frontline staff has less access to sensitive data, they are also less aware of the risks and impacts related to mistakes they can make, perhaps making them easier targets. Criminals are operating their scams like businesses, making risk-versus-reward decisions every day. They are continually experimenting to figure out what works and what doesn’t.”
When asked “Which department’s employees do you think are most vulnerable to falling for an email attack, such as phishing?” respondents viewed finance employees as the most vulnerable (24%) considering their access to the crown jewels, including bank account information, wire transfer numbers and other valuable business information.
On the protection side, respondents identified phishing simulation and social-engineering detection as the most beneficial email-security training capabilities. A multi-layered approach is critical in successfully protecting targeted employees, applications, and data.
Key findings included:
- Eighty-seven percent of IT security professional said their company faced an attempted email-based security threat in the past year.
- The threat of ransomware is a concern for 88%.
- More than 90% said email archiving is critical, citing a variety of business benefits. Maintaining an audit trail for compliance purposes, investigating suspicious activity and cutting costs for e-discovery requests were the top reasons.
- Larger businesses are more concerned about Office 365 email security; smaller businesses are less concerned. While the differences are minor, this could be because larger companies have more data at risk in Office 365, due to having broader deployments rolled out that include SharePoint, OneDrive and other applications.
Almost all said there are better ways to train employees than traditional classroom-style education, including customized examples relevant to an employee’s department and role, unscheduled simulations of typical attacks, training modules presented at the employee’s convenience, and rewards for taking the right actions.