Most businesses unprepared for email-based attacks
Dedicated spending, executive interest and a proactive attitude lead to improved cybersecurity
By Orlando Scott-Cowley, Special to ThirdCertainty
How prepared are you to deal with cyber threats? Is your organization’s email security sophisticated enough to detect and deflect the best spear-phishing or whaling attacks? Do you feel confident you are safe—or as safe as you can be?
The answers to these questions often are torn between your perceptions of security and the reality of it. This gap between the two exposes some major vulnerabilities, ranging from how much of an impact past experience with email attacks has on your future preparedness to whether or not you’re spending enough to make your organization safer.
We recently polled 600 IT security professionals across four countries about how they felt about their email security preparedness. Those responses, assembled in Mimecast’s Business Email Threat Report, identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are.
Armed with this insight, we identified five main security “personas” of IT security pros—characterizations of the different levels of email security preparedness from which we can all learn.
- The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
- The Equipped Veterans: Approximately one-fifth of IT security professionals—they are confident in their cybersecurity and have dealt with attacks in the past.
- The Apprehensive: About one-third of IT security professionals—they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
- The Nervous: Less than one-tenth of IT security professionals—they feel completely ill equipped to cope with the cyber threat.
- The Battle-Scarred: Just over one-quarter of IT security professionals—they have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.
But, what determines which persona may define your organization? What makes one Vigilant, another an Equipped Veteran and a third Apprehensive?
Our report makes it clear that there are three specific factors that determine this: email security budget, engagement from the C-suite, and an overall attitude toward security.
The IT teams that had 50 percent higher budgets for email security were notably more confident in their level of preparedness than those with smaller budgets. Similarly, the Equipped Veterans and the Vigilant felt most confident about their security and had the highest levels of engagement from their executives (89 percent and 84 percent, respectively). The less-confident personas—the Battle-Scarred, Apprehensive and Nervous—all demonstrated significantly lower levels of C-suite involvement when it came to email security (49, 36 and 18 percent, respectively).
But, let’s be honest: Is it really any surprise that the companies with bigger email security budgets, and a boardroom that’s more invested in email security, end up feeling more confident than those with smaller budgets and minimal C-suite engagement?
There’s a deeper human factor at play in how confident you are, and how prepared you are, for managing email-based threats —namely, attitude. Ask yourself: are you in the right frame of mind to address or solve the problem? Are you too distracted by other matters that have kept you from even thinking about email security? Or, do you not take the threats seriously enough? Maybe you even dismiss them out of hand?
The Apprehensive and Nervous specifically need to make an adjustment, if they want to change to one of the more confident personas. Taking a more proactive attitude toward email security requires:
A two-pronged approach
Step one: Recognize that there is an issue, specifically that email-based attacks—and a lack of adequate security to stop them—represent a serious threat to your business.
Step two: Recognize that you may be enabling the problem in the first step by preventing yourself from taking the necessary steps to correct it. In other words, by taking a defeatist approach toward email security, you can set yourself up for attacks down the road.
Taking these two initial steps will open up honest discussions about security preparedness with executives, drive their engagement and lead to improved or well-spent budgets—all key factors for security success.
So, what next? A few moments of introspection could be the best security investment you make this year. Don’t automatically assume you’re in the most prepared group, because there’s a 65 percent chance you aren’t. Don’t be afraid to look at your infrastructure and make a change, internally or externally.
More stories about email security:
When it comes to email, sharing isn’t caring
A primer on business email compromise scams
Where personal data is concerned, what’s safe today may not be safe tomorrow