The State of Email Security, a report published by Mimecast, detailed “how enterprises faced cybersecurity risk in 2020 from increasing attack volume, the pandemic-driven digital transformation of work, and generally deficient cyber preparedness and training.”
The fifth annual report is “based on a global survey of 1,225 information technology and cybersecurity leaders, and supported by Mimecast’s Threat Centre data, which screens more than one billion emails per day.”
Ransomware looms large
79% of respondents indicated their companies had experienced a business disruption, financial loss, or other setback in 2020 “due to a lack of cyber preparedness”. Respondents identified ransomware as the chief culprit behind these disruptions.
Other insights include:
• 61% reported they had been impacted by ransomware in 2020, a 20% increase over the number of companies reporting such disruption
• Companies impacted by ransomware lost an average of six working days to system downtime, with 37% saying downtime lasted one week or more
• More than half (52%) of ransomware victims paid threat actor ransom demands, but only two-thirds (66%) of those were able to recover their data. The remaining one-third (34%) never saw their data again, despite paying the ransom.
Threat actors exploit the pandemic
Ransomware was not the only threat for organisations in 2020. The report also revealed additional threat trends, including:
• A 64% year-over-year increase in threat volume.
• An increase in email usage in eight out of 10 companies.
• 47% of survey respondents noted they saw an increase in email spoofing activity.
• 71% said they are concerned about the risks posed by archived conversations from collaboration tools.
All of these can be attributed to the pandemic: work-from-home increased email and collaboration tool usage, and threat actors sought to capitalise on the new “digital office” with massive waves of COVID-19-related social engineering attacks.
Cyber preparedness is lacking
Despite facing an elevated threat volume, the report “found that companies aren’t doing well in the area of threat prevention.” In addition to the 79% of respondents who indicated a lack of cyber preparedness, other findings include:
• 40% of those surveyed said their organisations fall short in one or more critical areas of email security systems, leaving employees open to phishing, malware, business email compromise, and other attacks.
• 43% said that employee naiveté about cybersecurity is one of their greatest vulnerabilities, and yet only one in five respondents indicated they have ongoing (more than once per month) security awareness training in place.
The study was not surprised that 70% of survey respondents believe their business will be harmed by email attacks in the next year. In 2020, only 59% of respondents said they felt this way.