Mimecast's 2018 "State of Email Security" report is out, and although it's contents are hardly a surprise, the news it contains is mostly bad.
For starters, it confirms what most IT professionals already know:
Email continues to be a big threat for organizations of all sizes.
Unfortunately, the C-Suite (CEO's, CIO's, CFO's, and the like) are a major part of the problem, representing a significant weak link in Enterprise security. Not only are they a prime target for hackers, but according to the survey, 40 percent of respondents agreed that their organization's CEO was a painfully "weak link" in their organization's cyber-security operations.
Just as alarming, 31 percent of respondents said that C-level employees are very likely to have accidentally sent sensitive or proprietary information to the wrong person, a statistic up 9 percent from last year.
In addition to that, email is the primary means by which ransomware winds up getting inside company networks. This comes with a staggering 92 percent of successful ransomware attacks arriving via that channel, resulting in three or more days of downtime for the impacted companies.
Phishing attacks also continue to be a major issue, with 90 percent of respondents reporting an increase in the number of phishing attacks they were subjected to.
In light of these statistics, one would imagine that companies would be devoting significant resources to countering the threat. Unfortunately, that's just not happening. Sure, money is being spent on infrastructure, but humans are the weakest link in this chain, and not just in the C-Suite. According to the survey, only 11 percent of organizations continuously train their employees on how to spot cyberattacks, and just over half (52 percent) perform training just once a year.
Matthew Gardiner, a cyber-resilience expert at Mimecast, summarizes it this way:
"Security awareness is an important part of any high-functioning security program. But like all security controls, there is no silver bullet solution. The best security programs seek a balance between technical controls, boosting their human firewalls, and having IT enabled business processes that are resilient to failures, whether man-made or caused by technology."