Most businesses unprepared for email-based attacks

Dedicated spending, executive interest and a proactive attitude lead to improved cybersecurity

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

How pre­pared are you to deal with cyber threats? Is your organization’s email secu­ri­ty sophis­ti­cat­ed enough to detect and deflect the best spear-phish­ing or whal­ing attacks? Do you feel con­fi­dent you are safe—or as safe as you can be?

Ed note_MimeCast_Orlando Scott-CowleyThe answers to these ques­tions often are torn between your per­cep­tions of secu­ri­ty and the real­i­ty of it. This gap between the two expos­es some major vul­ner­a­bil­i­ties, rang­ing from how much of an impact past expe­ri­ence with email attacks has on your future pre­pared­ness to whether or not you’re spend­ing enough to make your orga­ni­za­tion safer.

We recent­ly polled 600 IT secu­ri­ty pro­fes­sion­als across four coun­tries about how they felt about their email secu­ri­ty pre­pared­ness. Those respons­es, assem­bled in Mimecast’s Busi­ness Email Threat Report, iden­ti­fied the gaps between how pre­pared they think their com­pa­nies are against email threats, and how pre­pared they actu­al­ly are.

Armed with this insight, we iden­ti­fied five main secu­ri­ty “per­sonas” of IT secu­ri­ty pros—characterizations of the dif­fer­ent lev­els of email secu­ri­ty pre­pared­ness from which we can all learn.

The per­sonas

  • The Vig­i­lant: This is less than one-fifth of IT secu­ri­ty pro­fes­sion­als. They demon­strate a high con­fi­dence in their abil­i­ty to han­dle or defend against cyber threats, despite no expe­ri­ence with email hacks or data breach­es.
  • The Equipped Vet­er­ans: Approx­i­mate­ly one-fifth of IT secu­ri­ty professionals—they are con­fi­dent in their cyber­se­cu­ri­ty and have dealt with attacks in the past.
  • The Appre­hen­sive: About one-third of IT secu­ri­ty professionals—they have no expe­ri­ence with data breach­es or hacks and do not feel con­fi­dent in their lev­el of pre­pared­ness.
  • The Ner­vous: Less than one-tenth of IT secu­ri­ty professionals—they feel com­plete­ly ill equipped to cope with the cyber threat.
  • The Bat­tle-Scarred: Just over one-quar­ter of IT secu­ri­ty professionals—they have expe­ri­enced a his­to­ry of data breach­es or email hacks, but still feel unpre­pared to defend them­selves against attacks in the future.

But, what deter­mines which per­sona may define your orga­ni­za­tion? What makes one Vig­i­lant, anoth­er an Equipped Vet­er­an and a third Appre­hen­sive?

Our report makes it clear that there are three spe­cif­ic fac­tors that deter­mine this: email secu­ri­ty bud­get, engage­ment from the C-suite, and an over­all atti­tude toward secu­ri­ty.

The IT teams that had 50 per­cent high­er bud­gets for email secu­ri­ty were notably more con­fi­dent in their lev­el of pre­pared­ness than those with small­er bud­gets. Sim­i­lar­ly, the Equipped Vet­er­ans and the Vig­i­lant felt most con­fi­dent about their secu­ri­ty and had the high­est lev­els of engage­ment from their exec­u­tives (89 per­cent and 84 per­cent, respec­tive­ly). The less-con­fi­dent personas—the Bat­tle-Scarred, Appre­hen­sive and Nervous—all demon­strat­ed sig­nif­i­cant­ly low­er lev­els of C-suite involve­ment when it came to email secu­ri­ty (49, 36 and 18 per­cent, respec­tive­ly).

But, let’s be hon­est: Is it real­ly any sur­prise that the com­pa­nies with big­ger email secu­ri­ty bud­gets, and a board­room that’s more invest­ed in email secu­ri­ty, end up feel­ing more con­fi­dent than those with small­er bud­gets and min­i­mal C-suite engage­ment?

There’s a deep­er human fac­tor at play in how con­fi­dent you are, and how pre­pared you are, for man­ag­ing email-based threats —name­ly, atti­tude. Ask your­self: are you in the right frame of mind to address or solve the prob­lem? Are you too dis­tract­ed by oth­er mat­ters that have kept you from even think­ing about email secu­ri­ty? Or, do you not take the threats seri­ous­ly enough? Maybe you even dis­miss them out of hand?

The Appre­hen­sive and Ner­vous specif­i­cal­ly need to make an adjust­ment, if they want to change to one of the more con­fi­dent per­sonas. Tak­ing a more proac­tive atti­tude toward email secu­ri­ty requires:

A two-pronged approach

Step one: Rec­og­nize that there is an issue, specif­i­cal­ly that email-based attacks—and a lack of ade­quate secu­ri­ty to stop them—represent a seri­ous threat to your busi­ness.

Step two: Rec­og­nize that you may be enabling the prob­lem in the first step by pre­vent­ing your­self from tak­ing the nec­es­sary steps to cor­rect it. In oth­er words, by tak­ing a defeatist approach toward email secu­ri­ty, you can set your­self up for attacks down the road.

Tak­ing these two ini­tial steps will open up hon­est dis­cus­sions about secu­ri­ty pre­pared­ness with exec­u­tives, dri­ve their engage­ment and lead to improved or well-spent budgets—all key fac­tors for secu­ri­ty suc­cess.

So, what next? A few moments of intro­spec­tion could be the best secu­ri­ty invest­ment you make this year. Don’t auto­mat­i­cal­ly assume you’re in the most pre­pared group, because there’s a 65 per­cent chance you aren’t. Don’t be afraid to look at your infra­struc­ture and make a change, inter­nal­ly or exter­nal­ly.

More sto­ries about email secu­ri­ty:
When it comes to email, shar­ing isn’t car­ing
A primer on busi­ness email com­pro­mise scams
Where per­son­al data is con­cerned, what’s safe today may not be safe tomor­row