Cyber Risk and the C-Suite in the State of Email Security

Which risks to their business weigh most heavily on corporate leaders? An informal 2022 survey by Forbes sought to answer that question. Despite climate change, inflation and the possibility of another financial crisis, the risk of a data breach topped the list.[1]

A leading think tank puts it this way: “The risk landscape is changing fast. Every day's headlines bring new reminders that the future is on its way, and sometimes it feels like new risks and response strategies are around every corner.” Among the key challenges singled out by Deloitte are the disruptions resulting from emerging technologies and shared risks associated with the networked economy.[2]

This rising consternation over cyber risk among corporate board members and top executives provides the backdrop for Mimecast’s newly released State of Email Security 2023 (SOES 2023) report. Based on interviews with 1,700 CISOs and other information technology professionals from 12 industrial sectors and 13 countries, the report documents the precise nature of these risks and the steps that are being taken to overcome them.

The Cyber Risk Landscape

The cyberthreats that have captured business leaders’ attention are daunting. In 2023:

• Some 33 billion electronic records are expected to be stolen.[3]
• Cybercrime is expected to cost the world $8 trillion. In economic terms, this is greater than the GDP of any country except the U.S. and China.[4]
• Globally, the average cost of a data breach is $4.35 million. The average cost in the U.S. is more than double that, at $9.44 million.[5]
• There was a 13% rise in ransomware in 2022 — an increase as big as the past five years combined.[6] 
• On average, it takes 212 days to detect a data breach and another 75 days to contain it.[7]

Supply chain vulnerabilities, the rise of online collaboration, and the growth of the digital workspace are among the chief reasons the cyber landscape is becoming more treacherous, but for cybercriminals, email remains the primary route of attack. SOES 2023 finds that corporate reliance on email continues to grow and that more email is leading to more email-based threats: To wit, three out of four (76%) SOES respondents say these have risen over the past 12 months.

The growing sophistication of email-borne attacks is an even bigger problem, and well over half (59%) of the 2023 SOES respondents singled this out as their greatest challenge. Three out of four respondents (76%) expect an attack via email will result in serious consequences for their organization in the coming year. Of these, nearly one in 10 (9%) believe that such an attack is “inevitable,” while another four out of 10 consider it “extremely likely.”

Collaboration Tools — Essential but Risky

This was the seventh consecutive year that Mimecast has conducted the SOES survey, and the first edition in which the security of collaboration tools is explored in depth. While acknowledged as an imperative for conducting business in the post-COVID era, collaboration tools are also widely regarded as risky. Three-quarters (72%) of CISOs think their organization will be damaged by a collaboration-tool-based attack, and 75% believe that the new threats posed by collaboration tools urgently need to be addressed. 

There was also near universal agreement (94%) that the native security provided by Google Workspace and Microsoft 365 application suites is insufficient and that additional, layered protections are needed.

Cybersecurity Budgets Remain Underfunded

Despite the growing concern in the C-suite and boardroom over the threat posed by cybercrime, cybersecurity budgets are still falling short of the demand for greater cyber preparedness. Two-thirds (66%) of the 2023 respondents said their organization’s cybersecurity budget is less than it should be — roughly unchanged from the year before. The underfunding, however, is relatively modest — slightly less than 8% on average, according to survey participants.

The picture becomes more promising when viewed in terms of the cybersecurity systems that companies have deployed. Virtually all the SOES participants (98%) have already deployed, are in the process of deploying, or are actively planning to deploy systems to monitor and protect against email-borne attacks.

Moreover, many are taking advantage of artificial intelligence (AI) and machine learning (ML) to help their underfunded teams stay ahead of the curve. Nearly half of the companies interviewed (49%) are already using some combination of these technologies, and most of the rest (43% of the total) are planning to do so. Among the organizations currently making use of AI/ML, the three biggest benefits are viewed as more accurate threat detection (50%), an improved ability to block threats (49%), and faster remediation when an attack has occurred (48%).

The Bottom Line

While many challenges persist and funding shortfalls remain an issue, CISOs and their fellow cybersecurity professionals now command the attention of their corporate leadership. For years, CISOs fought to get their boards to take cybersecurity more seriously. Now that they’ve succeeded, the opportunity for them to present cyber risks as urgent business risks that must be addressed has never been greater. For the complete breakdown of those risks, read Mimecast’s State of Email Security 2023 report.

[1] “The 10 Biggest Risks and Threats for Businesses in 2022,” Forbes

[2] “The future of risk,” Deloitte

[3] “Cybersecurity Breaches to Result in Over 146 Billion Records Being Stolen by 2023,” Juniper Research

[4] “Cybercrime to Cost the World 8 Trillion Annually in 2023,” Cybercrime Magazine

[5] “Cost of a data breach 2022,” IBM

[6] “Data Breach Investigations Report 2022,” Verizon

[7] “Blumira’s 2022 State of Detection and Response,” Blumira